Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why won't count match when using tstats?

mahesh27
Communicator
‎04-25-2023 05:47 PM

When compared to original query with tstats query success, failed  and total count is not matching.


original query:
index=app-cod-idx   host_ip=11.123.345.23  sourcetype=code:logs
|rex field =_raw "\|presentdata\:(?<COD_data>.*\|"
|where isnotnull(COD_data)
|eval Success=if(COD_data="0"  OR COD_data="", "Success", null())
|eval Failed=if(COD_data!="0", "Failed", null())
|stats count(Success) as Successlogs count(Failed ) as Failedlogs  count(COD_data) as totalcount

OUTPUT:

Successlogs Failedlogs totalcount
14 10 24

 

tstats query:

|tstats count where index=app-cod-idx   host_ip=11.123.345.23  sourcetype=code:logs by PREFIX(cod-data=)
|rename cod-data= as COD_data
|where isnotnull(COD_data)
|eval Success=if(COD_data="0"  OR COD_data="", "Success", null())
|eval Failed=if(COD_data!="0", "Failed", null())
|stats count(Success) as Successlogs count(Failed ) as Failedlogs  count(COD_data) as totalcount

OUTPUT:

Successlogs Failedlogs totalcount
1 0 1

 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-25-2023 11:23 PM

Apart from @VatsalJagani already pointed out, each of your searches works differently. The "raw" search extracts fields from events, then does stats count. The tstats search counts splitting by different values of the cod-data field. So even if your extractions matched in both of your searches, if cod-data field had always the same value, your "raw" search would extract and count all occurrences of that field but tstats would only give you one value at the beginning. And then you'd count that value (not sum!) so you'd end up with just 1 as the result.

0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎04-25-2023 11:21 PM

Hi.  When you run tstats count by prefix(cod-data=) you end up getting counts for each value of cod-data.

0<count of 0s>
1<count of 1s>
n<count of ns>

 And then

|eval Success=if(COD_data="0"  OR COD_data="", "Success", null())
|stats count(Success) as Successlogs 

That will identify the fields where COD_data = 0 as Success
Finally the count with Count the number of rows of Success.. which = 1

So something like

|tstats count where index=app-cod-idx   host_ip=11.123.345.23  sourcetype=code:logs by PREFIX(cod-data=)
|rename cod-data= as COD_data
|where isnotnull(COD_data)

| stats sum(eval(if(COD_data="0",count,0))) AS SuccessLogs, sum(eval(if(COD_data!="0",count,0))) AS FailedLogs,  sum(count) as totalcount

The key is that you want to sum the count

 

Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎04-25-2023 11:02 PM

@mahesh27 - I think that could be due to your extraction is different in both search:

  • |rex field =_raw "\|presentdata\:(?<COD_data>.*\|"
  • PREFIX(cod-data=)

 

One starts with presentdata: and second starts with cod-data=

But cannot tell more without looking at actual events.

 

I hope this helps!!!

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...