Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is my search returning a different set of results after I replaced the 'dedup' command with 'stats dc()' to improve performance?

IRHM73
Motivator
‎08-03-2015 11:39 PM

Hi,

I wonder whether someone may be able to help me please.

I'm using the search below to successfully produce a given group of stats:

auditSource=ts auditType=RenewalStarted NOT [search auditSource=ts auditType=RenewalCompleted | table detail.nino] |
iplocation tags.clientIP |dedup detail.nino | fillnull value="Country Not Found" Country | stats count by Country

Because I know that the dedup command can be resource intensive, I've tried changing this by using the stats dc command as below:

auditSource=ts auditType=RenewalStarted NOT [search auditSource=ts auditType=RenewalCompleted | table detail.nino] |
iplocation tags.clientIP | fillnull value="Country Not Found" Country | stats dc(detail.nino) By Country

The problem I have is that although I'm using the same date period, the search is not returning the same set of results.

I just wondered whether someone may be able to look at this please and offer some guidance on where I may have gone wrong.

Many thanks and kind regards

Chris

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

IRHM73
Motivator
‎08-04-2015 11:28 PM

Hi thank you for coming back to me. When I omit the fillnull from the second query the number of events are still greater than the initial query and the count significantly reduced.

However If I changed the latter query to auditSource=tc auditType=TCStarted NOT [search auditSource=tc auditType=TCCompleted | table detail.nino] | iplocation tags.clientIP | fillnull value="Country Not Found" | stats dc(detail.nino) By Country which is now working perfectly.

Kind regards

Chris

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

IRHM73
Motivator
‎08-04-2015 11:28 PM

Hi thank you for coming back to me. When I omit the fillnull from the second query the number of events are still greater than the initial query and the count significantly reduced.

However If I changed the latter query to auditSource=tc auditType=TCStarted NOT [search auditSource=tc auditType=TCCompleted | table detail.nino] | iplocation tags.clientIP | fillnull value="Country Not Found" | stats dc(detail.nino) By Country which is now working perfectly.

Kind regards

Chris

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-04-2015 06:35 AM

Is it the same without the fillnull command?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...