Hi,
I would like query all data over the past year and then use "stats count by some fields" to calculate the counts.
However, the data is too large (at least a few millions) and Splunk truncates data when querying, so the number of counts is inaccurate.
Does anyone know a good way to fix it?
PS. I tried 'sistats' and set a report run every hour to query data from the previous year.
Ideally, I hope the report can collect data in a smaller time interval accurately, and the aggregate the result.
However, in each hour, the report query the whole previous data inaccurately and then added up all counts as the result.
... View more