Splunk Search

Why does my search with "stats count" return more events than the actual events present?

Explorer

Stats count returns nine events for Points-1 & 2.
But as shown in the point-3 below, the actual events count is three.
Why is stats count is displaying more? please help.
These fields are extracted manually. Verbose search did not help too.

1) Output:9

index="index_test1" sourcetype="st_test1" Statusfield="Failure"  Service_Name="Service1" Hostname="myhost1"|stats count as Failed

2) Output: myhost1 -> 9

index="index_test1" sourcetype="st_test1" Statusfield="Failure"  Service_Name="Service1" Hostname="myhost1"|stats count by Hostname

3) Output: 3 events

index="index_test1" sourcetype="st_test1" Statusfield="Failure"  Service_Name="Service1" Hostname="myhost1"
Tags (4)

Influencer

For the individual events is Hostname extracted multiple times? (also is your first query actually stats count(Hostname) as failed instead of stats count as failed )?

Take this as a runanywhere example:

|makeresults count=3 | eval Hostname=mvappend("myhost1","myhost1","myhost1") 

I have 3 results, each result has extracted Hostname "myhost1" three times.

doing | stats count(Hostname) after this would return 9 as does | stats count by Hostname... but you can see | stats count returns 3 and |stats dc(Hostname) returns 1

Or all together:

|makeresults count=3 | eval Hostname=mvappend("myhost1","myhost1","myhost1") | multireport [stats count(Hostname) as n1] [stats count as n2 by Hostname] [stats count as n3] [stats dc(Hostname) as n4] [noop]

Explorer

I have extracted Hostname only once.

For me | stats count returns 9, even though the actual event count is 3 in search.

But in dashbaord both the | stats count and even count are showing 9.

0 Karma

Communicator

This is the description on the Splunk site for stats: Calculates aggregate statistics over the results set, such as average, count, and sum. The only thing I can think of is that it is aggregating the events so that you are seeing the same results but in different ways. I'm very new to Splunk though, so I could very well be wrong

0 Karma

Explorer

Stats count returns 9.
Three different events gets displayed that are actually present.

0 Karma

Communicator

Are there multiple outputs that are the same? Is it outputting the same thing three times, for the three events you have?

0 Karma

Explorer

The mismatch of count and events happen to some values, not to all..
Three different events gets displayed that are actually present. 

0 Karma

Communicator

So there are 6 events that are displayed when using stats count that aren't any of the three that are displayed normally?

0 Karma

Explorer

Yes. In many cases. Many a times the stats count is more than the actual events present.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!