I need help figuring out this one
This is the search:
host="myhost" | spath | top agent.browser
I get 311 matching events
This is the table of results:
agent.browser count percent
1 IE 206 66.237942
2 Safari 146 46.945338
3 Firefox 141 45.337621
4 Chrome 116 37.299035
5 Mobile Safari 8 2.572347
6 Chrome Frame 4 1.286174
Note that if you sum up all the counts, it adds to 622, which is exactly twice the number of matching events.
Also if you click one of the rows, example IE, you go to a search page:
host="Games-Team-Mac" | spath | search agent.browser="IE"
Which shows you 103 events, which is half the count.
So it seems i really only have 311 event, but for some reason the counts are counting them twice.
Why?
The only difference between these and other searches that work is that these logs are json format, so I'm using spath.
With current definition of spath (5.x+), its used to extract values from structured data (xml, json). If any field is not specified, it performs the field extraction on _raw. Since, your soucetype already have these fields extracted, using spath is basically extracting very same fields again, making the count double.
I noticed the same thing when upgrading to splunk 5 from splunk 4. spath became redundant in a lot of searches, and if you left it in, events were double counted.
Depending upon your XML / JSON, spath may create multi-value fields. This would lead to double-counts from the same event. I'd triage this by doing host="myhost" | spath | table _time, agent.browser
. This would validate whether or not the fields are multi-value.
No, there aren't any duplicate events, which can be seen by performing individual searches on each field.
Actually, I just removed spath from the search, and the results are now correct.
host="myhost" | top agent.browser
(no spath) works correctly, ie, count sums up to 311 which equals matching events.
Does anyone knows why spath would cause the duplicate issue with top?
I wasn't saying you have duplicate events, I was saying you have duplicate values for agent.browser
in EACH event. See sowings's answer.
Sounds to me that your agent.browser
field has multiple values in each event - the second one being a duplicate of the first.