Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why won't count match when using tstats?

mahesh27
Communicator
‎04-25-2023 05:47 PM

When compared to original query with tstats query success, failed  and total count is not matching.


original query:
index=app-cod-idx   host_ip=11.123.345.23  sourcetype=code:logs
|rex field =_raw "\|presentdata\:(?<COD_data>.*\|"
|where isnotnull(COD_data)
|eval Success=if(COD_data="0"  OR COD_data="", "Success", null())
|eval Failed=if(COD_data!="0", "Failed", null())
|stats count(Success) as Successlogs count(Failed ) as Failedlogs  count(COD_data) as totalcount

OUTPUT:

Successlogs Failedlogs totalcount
14 10 24

 

tstats query:

|tstats count where index=app-cod-idx   host_ip=11.123.345.23  sourcetype=code:logs by PREFIX(cod-data=)
|rename cod-data= as COD_data
|where isnotnull(COD_data)
|eval Success=if(COD_data="0"  OR COD_data="", "Success", null())
|eval Failed=if(COD_data!="0", "Failed", null())
|stats count(Success) as Successlogs count(Failed ) as Failedlogs  count(COD_data) as totalcount

OUTPUT:

Successlogs Failedlogs totalcount
1 0 1

 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-25-2023 11:23 PM

Apart from @VatsalJagani already pointed out, each of your searches works differently. The "raw" search extracts fields from events, then does stats count. The tstats search counts splitting by different values of the cod-data field. So even if your extractions matched in both of your searches, if cod-data field had always the same value, your "raw" search would extract and count all occurrences of that field but tstats would only give you one value at the beginning. And then you'd count that value (not sum!) so you'd end up with just 1 as the result.

0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎04-25-2023 11:21 PM

Hi.  When you run tstats count by prefix(cod-data=) you end up getting counts for each value of cod-data.

0<count of 0s>
1<count of 1s>
n<count of ns>

 And then

|eval Success=if(COD_data="0"  OR COD_data="", "Success", null())
|stats count(Success) as Successlogs 

That will identify the fields where COD_data = 0 as Success
Finally the count with Count the number of rows of Success.. which = 1

So something like

|tstats count where index=app-cod-idx   host_ip=11.123.345.23  sourcetype=code:logs by PREFIX(cod-data=)
|rename cod-data= as COD_data
|where isnotnull(COD_data)

| stats sum(eval(if(COD_data="0",count,0))) AS SuccessLogs, sum(eval(if(COD_data!="0",count,0))) AS FailedLogs,  sum(count) as totalcount

The key is that you want to sum the count

 

Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎04-25-2023 11:02 PM

@mahesh27 - I think that could be due to your extraction is different in both search:

  • |rex field =_raw "\|presentdata\:(?<COD_data>.*\|"
  • PREFIX(cod-data=)

 

One starts with presentdata: and second starts with cod-data=

But cannot tell more without looking at actual events.

 

I hope this helps!!!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...