Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why won't count match when using tstats?

mahesh27
Communicator
‎04-25-2023 05:47 PM

When compared to original query with tstats query success, failed  and total count is not matching.


original query:
index=app-cod-idx   host_ip=11.123.345.23  sourcetype=code:logs
|rex field =_raw "\|presentdata\:(?<COD_data>.*\|"
|where isnotnull(COD_data)
|eval Success=if(COD_data="0"  OR COD_data="", "Success", null())
|eval Failed=if(COD_data!="0", "Failed", null())
|stats count(Success) as Successlogs count(Failed ) as Failedlogs  count(COD_data) as totalcount

OUTPUT:

Successlogs Failedlogs totalcount
14 10 24

 

tstats query:

|tstats count where index=app-cod-idx   host_ip=11.123.345.23  sourcetype=code:logs by PREFIX(cod-data=)
|rename cod-data= as COD_data
|where isnotnull(COD_data)
|eval Success=if(COD_data="0"  OR COD_data="", "Success", null())
|eval Failed=if(COD_data!="0", "Failed", null())
|stats count(Success) as Successlogs count(Failed ) as Failedlogs  count(COD_data) as totalcount

OUTPUT:

Successlogs Failedlogs totalcount
1 0 1

 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-25-2023 11:23 PM

Apart from @VatsalJagani already pointed out, each of your searches works differently. The "raw" search extracts fields from events, then does stats count. The tstats search counts splitting by different values of the cod-data field. So even if your extractions matched in both of your searches, if cod-data field had always the same value, your "raw" search would extract and count all occurrences of that field but tstats would only give you one value at the beginning. And then you'd count that value (not sum!) so you'd end up with just 1 as the result.

0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎04-25-2023 11:21 PM

Hi.  When you run tstats count by prefix(cod-data=) you end up getting counts for each value of cod-data.

0<count of 0s>
1<count of 1s>
n<count of ns>

 And then

|eval Success=if(COD_data="0"  OR COD_data="", "Success", null())
|stats count(Success) as Successlogs 

That will identify the fields where COD_data = 0 as Success
Finally the count with Count the number of rows of Success.. which = 1

So something like

|tstats count where index=app-cod-idx   host_ip=11.123.345.23  sourcetype=code:logs by PREFIX(cod-data=)
|rename cod-data= as COD_data
|where isnotnull(COD_data)

| stats sum(eval(if(COD_data="0",count,0))) AS SuccessLogs, sum(eval(if(COD_data!="0",count,0))) AS FailedLogs,  sum(count) as totalcount

The key is that you want to sum the count

 

Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎04-25-2023 11:02 PM

@mahesh27 - I think that could be due to your extraction is different in both search:

  • |rex field =_raw "\|presentdata\:(?<COD_data>.*\|"
  • PREFIX(cod-data=)

 

One starts with presentdata: and second starts with cod-data=

But cannot tell more without looking at actual events.

 

I hope this helps!!!

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top