stats count issue, mismatch with search query resu...

delalegro · ‎09-02-2016

Hello,

i'm using a query to find all traffic hitting a singe firewall rule.
it's something like this: host=fw_host_name rule_uid={uid} action=accept

i wanted to create a list of all sources, destinations and services(ports) with a count so i added | stats count by src dst service
The output i get is perfect for example the following row src:192.168.1.1 dst:8.8.8.8 service:22 count:71

but if i do the following search query over the same time: host=fw_host_name rule_uid={uid} action=accept src=192.168.1.1 dst=8.8.8.8 service=22 splunk returns 85 events.

so whats wrong with the stats count that it's not returning all events?

Thanks in advance for your help!

somesoni2 · ‎09-03-2016

How many events you get, for same time range, for this query

host=fw_host_name rule_uid={uid} action=accept src=192.168.1.1 dst=8.8.8.8 service=22  | stats count by src dst service

AND

 host=fw_host_name rule_uid={uid} action=accept src=* dst=* service=* | stats count by src dst service

renjith_nair · ‎09-02-2016

Its possible that you are getting live data and by the time you execute the second search , you have more events indexed.

Try your searches for a specific time period. for eg: datetime range

---
What goes around comes around. If it helps, hit it with Karma 🙂

delalegro · ‎09-03-2016

Thanks for your answer, sorry for being not clear. I used the same date time range for both queries.

stats count issue, mismatch with search query results

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services