Splunk Search

Numbers don't add up...

DTERM
Contributor

I have three different searches below.

The first one counts and graphs ticket numbers between 10 AM and 10 PM (shift one), and the ticket numbers between shift 10 PM and 10 (AM shift 2).

The second search only counts and graphs the evening ticket numbers (10 PM to 10AM).

The third search only counts and graphs the daily ticket numbers (10 AM to 10 PM).

My problem is the daily ticket numbers don't match between the first query and the third. The evening numbers match up. The daily numbers do not. Any idea why? Thanks in advance.

Query1 -

index=myapp lastOccurrence firstOccurrence earliest=-30d@d-14h 
| where lastOccurrence=firstOccurrence
| eval Shift=if(10<=date_hour and date_hour<22,"Evening Stats","Daily Stats")
| timechart span=1d count by Shift

Query2 -

index=myapp earliest=-30d@d-2h 
| where(date_hour<10 or date_hour>=22)
| where lastOccurrence=firstOccurrence 
| eval _time=if(date_hour<10, _time-86400, _time) 
| bucket _time span=1d 
| stats count by _time 
| sort - _time

Query3 -

index=myapp earliest=-30d@d-14h 
| where (date_hour>=10 AND date_hour<22) 
| where lastOccurrence=firstOccurrence 
| bucket _time span=1d 
| stats count by _time 
| sort - _time
Tags (1)
0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

You may have events where date_hour is not set at all, and it will counted in the first query, but on the second. date_hour has a value according the the parsed time/date stamp in the event. If one was not there, e.g., it was derived from the timestamp of the previous event or the file modification time or similar, then it would be not set. You might check by searching for NOT date_hour=*

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

You may have events where date_hour is not set at all, and it will counted in the first query, but on the second. date_hour has a value according the the parsed time/date stamp in the event. If one was not there, e.g., it was derived from the timestamp of the previous event or the file modification time or similar, then it would be not set. You might check by searching for NOT date_hour=*

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...