- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: help on a count which is different in a subsea...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi
The search below returns me 558 events
`CPU`
| stats values(SITE) as SITE count(process_cpu_used_percent) as "Number of CPU alerts" by host
| rename host as Hostname, SITE as Site | search Hostname=9831
I am doing the same stats in a subsearch and in this case I have 4389 events!
`wire` earliest=-7d latest=now
| stats last(AP_NAME) as "Access point", last(Building) as "Geolocation building" by host
| join host type=outer
[| `CPU` earliest=-7d latest=now
| stats values(SITE) as Site , count(process_cpu_used_percent) as "Number of CPU alerts" by host ]
| rename host as Hostname | search Hostname=9831
What explain a such difference even if i use the same stats count
What I have to do in order to have the same number of events in the search and in a subsearch?
Unless it is not possible to have the same number of events in the subsearch?
Thanks for your help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In second search you are using earliest=-7d latest=now with macro.
In first search there is no earliest and latest so it will take whatever you set in time filter in search.
Check count for this.
`CPU` earliest=-7d latest=now
| stats values(SITE) as SITE count(process_cpu_used_percent) as "Number of CPU alerts" by host
| rename host as Hostname, SITE as Site | search Hostname=9831
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In second search you are using earliest=-7d latest=now with macro.
In first search there is no earliest and latest so it will take whatever you set in time filter in search.
Check count for this.
`CPU` earliest=-7d latest=now
| stats values(SITE) as SITE count(process_cpu_used_percent) as "Number of CPU alerts" by host
| rename host as Hostname, SITE as Site | search Hostname=9831
Developer Spotlight with Brett Adams
Index This | What can you do to make 55,555 equal 500?
Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...
