Re: Duplicated values on count

vinihei_987 · ‎03-12-2024

When I do an stats count my field it return the double of the real number

index=raw_fe5_autsust Aplicacao=HUB Endpoint="*/"
| eval Agrupamento=if(Agrupamento!="", Agrupamento, "AGRUPAMENTO_HOLDING/CE")
| eval Timestamp=strftime(_time, "%Y-%m-%d")
| stats count by Agrupamento, Timestamp
| sort -Timestamp

I already tried dedup and when I count only by Timestamp it works fine

ITWhisperer · ‎03-12-2024

If Agrupamento is a multi-value field, it will be counted for each value in the multivalue field

| makeresults
| eval field=split("AA","")
| stats count by field _time

gcusello · ‎03-12-2024

Hi @vinihei_987 ,

are yousure that in some events you have only one Agrupamento?

probaby they are more than one in some (or all) events, so you have a total greter than events.

Ciao.

Giuseppe

richgalloway · ‎03-12-2024

It's not clear what the problem is. Are you seeing repeated results or are the counts twice the expected values? It may help to share sanitized output.

---
If this reply helps you, Karma would be appreciated.

Duplicated values on count

source

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!