Splunk Search
Highlighted

metadata vs stats count

Ultra Champion

When running | metadata index=myindex type=sources, I see 301785788 for my totalCount for one of my sources (let's call it source1).

When running index=myindex source=source1 | stats count, I see 219717265 for my count.

Both searches are run for April 1st, 2014 (not today).

Why does metadata provide a different totalCount than stats count of the same sourcetype and index over the same historical time period on the same search head?

Running splunk 6.0.3.

Tags (2)
0 Karma
Highlighted

Re: metadata vs stats count

SplunkTrust
SplunkTrust

The metadata search command is not time bound. As per documentation for metadata search command:-

The metadata command returns data about a specified index or distributed search peer. It returns information such as a list of the hosts, sources, or source types accumulated over time and when the first, last, and most recent event was seen for each value of the specified metadata type. ****It does not provide a snapshot of an index over a specific timeframe (such as last 7 days).****

So what | metadata index=myindex type=sources is showing, is for all time (always) and what index=myindex source=source1 | stats count is showing is just for your time period (April 1st, 2014), hence the difference.

View solution in original post

Highlighted

Re: metadata vs stats count

Ultra Champion

Oh interesting. I clearly misunderstood the use of the time bounds on the search. Thanks for clarifying!

0 Karma