- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- twice as many counts as matching events?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
twice as many counts as matching events?
I need help figuring out this one
This is the search:
host="myhost" | spath | top agent.browser
I get 311 matching events
This is the table of results:
agent.browser count percent
1 IE 206 66.237942
2 Safari 146 46.945338
3 Firefox 141 45.337621
4 Chrome 116 37.299035
5 Mobile Safari 8 2.572347
6 Chrome Frame 4 1.286174
Note that if you sum up all the counts, it adds to 622, which is exactly twice the number of matching events.
Also if you click one of the rows, example IE, you go to a search page:
host="Games-Team-Mac" | spath | search agent.browser="IE"
Which shows you 103 events, which is half the count.
So it seems i really only have 311 event, but for some reason the counts are counting them twice.
Why?
The only difference between these and other searches that work is that these logs are json format, so I'm using spath.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With current definition of spath (5.x+), its used to extract values from structured data (xml, json). If any field is not specified, it performs the field extraction on _raw. Since, your soucetype already have these fields extracted, using spath is basically extracting very same fields again, making the count double.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I noticed the same thing when upgrading to splunk 5 from splunk 4. spath became redundant in a lot of searches, and if you left it in, events were double counted.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Depending upon your XML / JSON, spath may create multi-value fields. This would lead to double-counts from the same event. I'd triage this by doing host="myhost" | spath | table _time, agent.browser. This would validate whether or not the fields are multi-value.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, there aren't any duplicate events, which can be seen by performing individual searches on each field.
Actually, I just removed spath from the search, and the results are now correct.
host="myhost" | top agent.browser
(no spath) works correctly, ie, count sums up to 311 which equals matching events.
Does anyone knows why spath would cause the duplicate issue with top?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I wasn't saying you have duplicate events, I was saying you have duplicate values for agent.browser in EACH event. See sowings's answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sounds to me that your agent.browser field has multiple values in each event - the second one being a duplicate of the first.
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
