Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why is summary index search returning duplicate and incorrect counts of data?

smaran06
Path Finder
‎02-01-2017 04:29 PM

Hi Team,

I am populating the data in summary index using the following Splunk search

index=data"  | sistats count as total by  appName,trueclient, httpstatus,request_uri

when, I do stats over this

index=summary_ |stats count as total by appName.

We are getting lot of difference in counts.

When, I run the search directly the app counts are very low, then on summary index it's very high. Why summary index data is returning wrong data? is it because, I added trueclient, httpstatus,request_uri in sistats?

0 Karma
Reply

briancronrath
Contributor
‎02-02-2017 03:22 PM

When you search for just

index=summary_

How many different source values are you getting? Are you getting sources outside of the search you used to populate it? If so, limit down to just the name of the search as your source when you search and see if the numbers look better.

0 Karma
Reply

somesoni2
Revered Legend
‎02-01-2017 09:36 PM

When you use the si* command for summary index, you need to use the same aggregation command on the summary index data. Give this a try and see if the counts are matching.

index=summary | stats count as total by  appName,trueclient, httpstatus,request_uri | stats sum(total) as total by appName

compare with this.

index=data |stats count as total by appName
0 Karma
Reply

smaran06
Path Finder
‎02-02-2017 03:18 PM

Thanks, still the count is not matching, summary index is at very high when compare to data which is not is summary index

0 Karma
Reply

graa1005
Explorer
‎02-23-2018 06:06 AM

I have exactly the same problem. Multiple entries in the summary index for the same data. Only one value for info_search_time So it looks like it is one search. only outputs on multiple indexers.
If i deleted the summary data and re runtje job to add the results to the summary index.I get double data only different as the previous summary data. So only a part of the data is double.

0 Karma
Reply

graa1005
Explorer
‎02-23-2018 06:10 AM

Some data can exist multiple times. IN my case up to 5 times. (i have 5 indexers)

0 Karma
Reply

ddrillic
Ultra Champion
‎02-23-2018 06:55 AM

We normally put a safe-guard to avoid duplicates. A left join in the spirit of - | join type=left <field> [search index=<summary index name>| eval matched="Y"]

0 Karma
Reply

graa1005
Explorer
‎02-23-2018 07:00 AM

ddrillic my search does NOT generate duplicates. I execute the search ones a day to generate a summary of the records of the day before.

0 Karma
Reply

ddrillic
Ultra Champion
‎02-23-2018 07:03 AM

Sorry ; -)

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...