cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
yotamros
Explorer
Member since: ‎11-28-2023
‎12-02-2023
Community Statistics
Posts 4
Solutions 1
Karma Given 1
Karma Received 1
Member Since ‎11-28-2023
Activity Feed
View All

Re: tstats distinct_count returns an incorrect val...

by in Splunk Search
‎12-01-2023 02:34 AM
1 Karma
‎12-01-2023 02:34 AM
1 Karma
Ended up looking at the search.log and finding the following ERROR: "SRSSerializer - max str len exceeded - probably corrupt" After looking at the known issues page, I found SPL-166001 that stated this happens with event that are larger than 16MB. Even though this isn't the case, I tried the workaround offered there: [search] results_serial_format=csv   This did fix the issue, however sadly this is supposed to affect all search performance. ... View more

Re: tstats distinct_count returns an incorrect val...

by in Splunk Search
‎11-29-2023 01:04 AM
‎11-29-2023 01:04 AM
Sadly setting chunk_size doesn't make a difference. I've since tried playing around with limits.conf on both search heads and indexers to no avail. Also, the queries does seem to work on the indexers (when querying there directly, rather than using the search head). Another note that might be helpful - the query works on Splunk 7.3 but not on 8.2.2.   ... View more

Re: tstats with count() works but dc() produces 0 ...

by in Splunk Search
‎11-28-2023 01:40 PM
‎11-28-2023 01:40 PM
Did you end up finding a solution to this? I have a similar care and there is no info anywhere on the matter.. ... View more

tstats distinct_count returns an incorrect value o...

by in Splunk Search
‎11-28-2023 01:11 PM
‎11-28-2023 01:11 PM
Hey I've been working on a distributed Splunk environment, where in one of our indexes we have a very high cardinality "source" field (basically different for each event). I've noticed that using tstats 'distinct_count' to count the number of sources, I am getting an incorrect result (far from one per event). The query looks something like: |tstats dc(source) where index=my_index   I've noticed that when I search on a smaller number of events (~100,000 instead of ~5,000,000), the result is correct. In addition, when using estdc I get a better result than dc (which is wildly wrong). Finally, when using stats instead of tstats, I get the correct value: index=my_index | stats dc(source)   Any ideas? My guess is that I'm hitting some memory barrier, but there is no indication of this. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎12-02-2023 04:30 AM
Karma from
View All
Karma given to
View All