Splunk Search

Why is Cluster Count not working?

aditsss
Motivator

Hi Everyone,

I have created the below query in Splunk to fetch the Error messages

index=abc ns=blazegateway-c2 CASE(ERROR)|rex field=_raw "(?<!LogLevel=)ERROR(?<Error_Message>.*)"|eval _time = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N")| cluster showcount=t t=0.3|table app_name, Error_Message ,cluster_count,_time, environment, pod_name,ns |dedup Error_Message| rename app_name as APP_NAME, _time as Time, environment as Environment, pod_name as Pod_Name, cluster_count as Count

I observe that for particular Error message like below:

[reactor-http-epoll-4,cd5411f55ef5b309d8c4bc3f558e8af2,269476b43c74118e,01] reactor.core.publisher.Operators - Operator called default onErrorDropped

Count is coming as 42.Although the Event with this Error Messages are 13 only.

I want to know is this the problem with cluster_count .

How the cluster is working in splunk. Is my query taking cluster_count instead of actual counts.

Can someone guide me on this.

Labels (4)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The cluster command uses somewhat "fuzzy" matching so non-identical events may be counted together.  To get a precise count, use the eventstats command.

index=abc ns=blazegateway-c2 CASE(ERROR)
| rex field=_raw "(?<!LogLevel=)ERROR(?<Error_Message>.*)"
| eval Time = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N")
| eventstats count as Count by Error_Message
| table app_name, Error_Message, Count, Time, environment, pod_name, ns 
| dedup Error_Message
| rename app_name as APP_NAME, environment as Environment, pod_name as Pod_Name

 

---
If this reply helps you, Karma would be appreciated.
0 Karma

aditsss
Motivator

Hi @richgalloway 

Just want to understand why cluster count messages count is coming 42+. 

I want to combine the similar messages that is why I have used cluster count .

Can you guide me on the same

0 Karma

richgalloway
SplunkTrust
SplunkTrust

As I said in my first reply, the cluster command is "fuzzy".  It groups similar events rather than identical events.  Since we don't know the exact algorithm it uses, your count of events is likely to be different.

Use a higher value of t (the default is 0.8) to have the events be more similar.

---
If this reply helps you, Karma would be appreciated.
0 Karma

aditsss
Motivator

Hi @richgalloway 

I have attached the screenshot I am getting count as 361 with the below query

index=abc ns=blazegateway-c2 CASE(ERROR)|rex field=_raw "(?<!LogLevel=)ERROR(?<Error_Message>.*)"|eval _time = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N")| cluster showcount=t t=0.3|table app_name, Error_Message ,cluster_count,_time, environment, pod_name,ns |dedup Error_Message| rename app_name as APP_NAME, _time as Time, environment as Environment, pod_name as Pod_Name, cluster_count as Count

 

when I am clicking on count 361 its not showing anything.

I want to check what are the events for 361 count.

Please guide me on the same.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I'm pretty sure you can't drill down on cluster results.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...