Solved: Re: Why is the calculated count for a field showin...

jordanking1992 · ‎01-08-2019

Hello,

I am having trouble understanding why the counts for a particular field are off. The time frames for both the screenshots below are the same. The only difference is the view for the results.

The first screenshot says the count for namespace field "example" is 261,158 and the search used was:

index=network

The second screenshot says the count for namespace field "example" is 435 and the search used was:

index=network namespace=example

You can see that there is a drastic difference in "count" for the namespace field "example".

Thoughts?

afurrowgtri · ‎01-08-2019

What happens if you add this before your stats? I suspect it may be making some assumptions when the namespace field is null.

| eval namespace=case(isnotnull(namespace),namespace)

Does | stats dc(namespace) also produce erroneous results?

View solution in original post

afurrowgtri · ‎01-08-2019

What happens if you add this before your stats? I suspect it may be making some assumptions when the namespace field is null.

| eval namespace=case(isnotnull(namespace),namespace)

Does | stats dc(namespace) also produce erroneous results?

jordanking1992 · ‎01-08-2019

Apologies, the eval command worked and showed me the where the rest of the count was coming from.

Thank you for your help!

Why is the calculated count for a field showing way more than the actual events?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life