Splunk Search

Why is Cluster Count not working?

aditsss
Motivator

Hi Everyone,

I have created the below query in Splunk to fetch the Error messages

index=abc ns=blazegateway-c2 CASE(ERROR)|rex field=_raw "(?<!LogLevel=)ERROR(?<Error_Message>.*)"|eval _time = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N")| cluster showcount=t t=0.3|table app_name, Error_Message ,cluster_count,_time, environment, pod_name,ns |dedup Error_Message| rename app_name as APP_NAME, _time as Time, environment as Environment, pod_name as Pod_Name, cluster_count as Count

I observe that for particular Error message like below:

[reactor-http-epoll-4,cd5411f55ef5b309d8c4bc3f558e8af2,269476b43c74118e,01] reactor.core.publisher.Operators - Operator called default onErrorDropped

Count is coming as 42.Although the Event with this Error Messages are 13 only.

I want to know is this the problem with cluster_count .

How the cluster is working in splunk. Is my query taking cluster_count instead of actual counts.

Can someone guide me on this.

Labels (4)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The cluster command uses somewhat "fuzzy" matching so non-identical events may be counted together.  To get a precise count, use the eventstats command.

index=abc ns=blazegateway-c2 CASE(ERROR)
| rex field=_raw "(?<!LogLevel=)ERROR(?<Error_Message>.*)"
| eval Time = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N")
| eventstats count as Count by Error_Message
| table app_name, Error_Message, Count, Time, environment, pod_name, ns 
| dedup Error_Message
| rename app_name as APP_NAME, environment as Environment, pod_name as Pod_Name

 

---
If this reply helps you, Karma would be appreciated.
0 Karma

aditsss
Motivator

Hi @richgalloway 

Just want to understand why cluster count messages count is coming 42+. 

I want to combine the similar messages that is why I have used cluster count .

Can you guide me on the same

0 Karma

richgalloway
SplunkTrust
SplunkTrust

As I said in my first reply, the cluster command is "fuzzy".  It groups similar events rather than identical events.  Since we don't know the exact algorithm it uses, your count of events is likely to be different.

Use a higher value of t (the default is 0.8) to have the events be more similar.

---
If this reply helps you, Karma would be appreciated.
0 Karma

aditsss
Motivator

Hi @richgalloway 

I have attached the screenshot I am getting count as 361 with the below query

index=abc ns=blazegateway-c2 CASE(ERROR)|rex field=_raw "(?<!LogLevel=)ERROR(?<Error_Message>.*)"|eval _time = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N")| cluster showcount=t t=0.3|table app_name, Error_Message ,cluster_count,_time, environment, pod_name,ns |dedup Error_Message| rename app_name as APP_NAME, _time as Time, environment as Environment, pod_name as Pod_Name, cluster_count as Count

 

when I am clicking on count 361 its not showing anything.

I want to check what are the events for 361 count.

Please guide me on the same.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I'm pretty sure you can't drill down on cluster results.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...