Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

tstats count on accelerated data models giving different results after a few days

arjit
Path Finder
‎10-20-2020 03:08 PM

Hi All,

We have schedule the job which would run a tstats command on an accelerated data model for yesterday’s data & this populates the count value to an index called “xyz” via collect command.

tstats count as "COUNT VALUE"  from datamodel="abc" 

where ..... 

|collect index=xyz addTime=T

When I am running tstats query and index=xyz count query for couple of days, the results are matching (which they should) but when I am running this tstats query on the same dataset for the same time period, after say a few days & comparing with the index=xyz for that date, the tstats query gives me a different result (though index=xyz result is same as what I got that day). The tstats count value seems to be increasing with time... May I know why the tstats count values are changing over the period & how to fix this issue?

Thanks

AG

Labels (2)
Labels
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...