Splunk Search

twice as many counts as matching events?

malukisses
Engager

I need help figuring out this one

This is the search:

 host="myhost" | spath | top agent.browser

I get 311 matching events

This is the table of results:

agent.browser   count   percent
1   IE      206 66.237942
2   Safari      146 46.945338
3   Firefox     141 45.337621
4   Chrome      116 37.299035
5   Mobile Safari   8   2.572347
6   Chrome Frame    4   1.286174

Note that if you sum up all the counts, it adds to 622, which is exactly twice the number of matching events.

Also if you click one of the rows, example IE, you go to a search page:

host="Games-Team-Mac" | spath | search agent.browser="IE"

Which shows you 103 events, which is half the count.

So it seems i really only have 311 event, but for some reason the counts are counting them twice.

Why?

The only difference between these and other searches that work is that these logs are json format, so I'm using spath.

Tags (4)

somesoni2
SplunkTrust
SplunkTrust

With current definition of spath (5.x+), its used to extract values from structured data (xml, json). If any field is not specified, it performs the field extraction on _raw. Since, your soucetype already have these fields extracted, using spath is basically extracting very same fields again, making the count double.

prokopowicz
Explorer

I noticed the same thing when upgrading to splunk 5 from splunk 4. spath became redundant in a lot of searches, and if you left it in, events were double counted.

0 Karma

sowings
Splunk Employee
Splunk Employee

Depending upon your XML / JSON, spath may create multi-value fields. This would lead to double-counts from the same event. I'd triage this by doing host="myhost" | spath | table _time, agent.browser. This would validate whether or not the fields are multi-value.

malukisses
Engager

No, there aren't any duplicate events, which can be seen by performing individual searches on each field.

Actually, I just removed spath from the search, and the results are now correct.

host="myhost" | top agent.browser

(no spath) works correctly, ie, count sums up to 311 which equals matching events.

Does anyone knows why spath would cause the duplicate issue with top?

0 Karma

Ayn
Legend

I wasn't saying you have duplicate events, I was saying you have duplicate values for agent.browser in EACH event. See sowings's answer.

Ayn
Legend

Sounds to me that your agent.browser field has multiple values in each event - the second one being a duplicate of the first.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...