Splunk Search

How to stats events for solving this problem please?

jip31
Motivator

hello

I stats events after 2 eventstats command like this

 

 

| eventstats sum(netp) as "netp1" by site 
| eventstats sum(netp) as "netp2" by site user 
| stats last(netp1) as "netp1", last("netp2") as "netp2" by site user

 

 

 But I know it's not good because I am doing  a chart and the sum of netp and the sum of netp2 are not the same because for a same site it may have many user but in my bar chart there is just one user display

the bar in red correspond to netp2 and the bar in blue to ntp2

So the problem is on my bar in blue which has to have the same sum than the bar in red

jip31_0-1652370831159.png

How to stats events for solving this problem please?

Labels (1)
Tags (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Correct - the red bar represents the count for the site, and the blue bar represents the count for one of the users of the site, so where there are more than one user for a site, you will get multiple sets of bars for the site.

View solution in original post

0 Karma

jip31
Motivator

is anybody can help please?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Clearly there are other columns in the chart - what are the x-axis labels for the columns

Also, what do you get if you add this to the search

| stats count by site
0 Karma

jip31
Motivator

the x-axis labels correspond to the site field

When Iam doing | stats count by site I have a count = 1 for almost all the site except 2 sites

For the 2 sites, it just means that there are 2 users concerned instead 1

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Are these two sites where there is an issue? Or, do you get the issue for all of the sites?

0 Karma

jip31
Motivator

Most of the time there is just one user for one site

So in this case, my chart is correctly displayed

In red it's the sum count by site and in blue the sum count by user

jip31_0-1652691024650.png

But if there is more than one user, my chart is wrong

jip31_1-1652691321313.png

the bar chart for the sum count by site and the sum count by user are always to be the same even if there is more than one user...

 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

So the second and third blue add up to the red in both second and third, and the eighth and nine blue ad up to the red in both eighth and ninth. This is to be expected as both these sites have two users.

0 Karma

jip31
Motivator

so according to you there is no solution to display the bar chart as I need?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Correct - the red bar represents the count for the site, and the blue bar represents the count for one of the users of the site, so where there are more than one user for a site, you will get multiple sets of bars for the site.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

If user is null in some of your events they will still be counted as part of netp1 but won't appear in netp2

0 Karma

jip31
Motivator

I am sure it's not the problem

In my example I can see for a same site 2 users with 2 different sum of ntp2

So in my chart the sum of these 2 ntp2 has to be the same than ntp1

but the sum is different because in the bar chart for ntp2 there is just one user

so there is a problem in the way of stats events I think?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try this

| where isnotnull(user)
| eventstats sum(netp) as "netp1" by site 
| eventstats sum(netp) as "netp2" by site user 
| stats last(netp1) as "netp1", last("netp2") as "netp2" by site user
0 Karma

jip31
Motivator

it changes anything...

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Not sure what you mean by that

If your results are not what you expect, you need to look at your data and figure out what it is about your data that is producing the results you are getting.

For example, if user is a multi-value field, netp2(siteA, userX) + netp2(siteA, userY) could be greater than netp1(siteA)

Try reducing your data set until the inconsistency goes away, then increase it until the inconsistency comes back and have a look at the differences between the two data sets to try and isolate where the difference is coming from.

0 Karma

jip31
Motivator

sorry i dont understand

I share you the search if you can have a look please

https://www.cjoint.com/c/LEnfNGp6MEB

thanks

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

There doesn't appear to be anything wrong with the search

Therefore, if the results are not as you are expecting, there is a mismatch between your expectations and the data you are dealing with.

Try reducing the data set to a more manageable size to see at what point the outcome matches or doesn't match your expectations

0 Karma

jip31
Motivator

I have done a lot of debuging but I am going to continue again...

Don't you thing we can do the job with a subsearch in order to workaround the issue?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I don't understand what the issue is so I wouldn't know how a subsearch would help or not.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You are overwriting the value of netp in the first eventstats - try changing the order

| eventstats sum(netp) as "netp2" by site user 
| eventstats sum(netp) as "netp" by site 
| stats last(netp) as "netp", last("netp2") as "netp2" by site user
0 Karma

jip31
Motivator

yes but its just because I have modified the code for the example and I have mistaken...

so in my original code, its not the case

so the root cause of my problem is not due to this...

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Please update your question so that it represents your actual issue

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>