I am facing difference in count between stats and timechart for same search and same filters
Stats cmd : Last 24 hours
search|bin span=1d _time |stats count by Status|eventstats sum(*) as sum_* |foreach * [eval "Comp %"=round((count/sum_count)*100,2)]|rename count as Count|fields - sum_count
Timechart : Last 30 days
search|bin span=1d _time |timechart count by Status| addtotals| eval "Comp %"=round((Comp/Total)*100,2) | eval "Error %"=round((Error/Total)*100,2) | eval "Noncomp %"=round((Noncomp/Total)*100,2) | eval "NonRep %"=round((NonRep/Total)*100,2) | fields _time,*%
There is difference in count by 2 between these 2 functions.I am using a macro before the time chart or stats .Please help me with solution or cause of this issue.
Your searches and your data examples don't seem to correlate.
Firstly you are not splitting by _time in your stats, so the stats command will give you a single set of stats by Status for the last 24 hours. Your bin _time is redundant. If you want to use bin with stats, you need to also use _time in the by clause, e.g.
|stats count by _time Status
Depending on when you are running the search and if the latest part of the search is anchored to a fixed time, it will vary every time you run it.
Your timechart search is producing percentage values, not counts.
Can you clarify exactly what your earliest and latest search criteria are for these two searches
Every search has an earliest and latest time range - it's a fundamental requirement for any search. It's either set by a time picker of specified in the search directly.
Last 24 hours in Splunk will typically mean -24h@h to "now", so it will be somewhere between 24 and 25 hours whereas your timechart will be working on day boundaries, because you have defined the time group to be a span of 1 day, so will be from midnight to midnight.
You need to make sure you are comparing comparable time ranges. "Last 24 hours" will never be the same time range as a 30 day time range
If you want "last 24 hours" to mean "yesterday", then your time range needs to be -d@d for the earliest time and @d for the latest time range in the time picker
I understand this .But I am using data warehouse view as source for the sourcetype using db connect .
It will have a static value for a particular day .But I am not sure why I am seeing difference between stats and timechart .
When I select yesterday in timechart it shows exact match with stats count .But when I select more than one day it shows difference .
It's strange but this is what iam getting .