First of all, English isn't my native language, so I apologize in advance for any error I could write in this support topic. I encounter a problem I'm a bit lost with : I'm indexing a lot of differe...
See more...
First of all, English isn't my native language, so I apologize in advance for any error I could write in this support topic. I encounter a problem I'm a bit lost with : I'm indexing a lot of different data with different sourcetypes (mostly CSV and JSON data, but with a bit of unstructured data here and there), and the eventcount and tstats commands are returning a whole lot different count of events. I know the eventcount command doesn't care about the time window, so I tried increasing the time window in the future until the maximum supported by Splunk, but to no avail. To talk numbers, in my instance the command "eventcount index=XXX* " returns a number of 160 millions events in my indexes. When I try to do a command "| tstats count where index=XXX* by sourcetype", the command only find about 59 millions of events. Even increasing the time window with a "latest=+4824d" to reach the maximum supported by the software doesn't yield more events. I thought about frozen data, so I increased the time window before freezing events just for debugging, deleted all my data, reindexed them all, but to no avail. Is it possible for a event to be indexed without a sourcetype ? Or is there technological wizardry i'm not aware about ?