Different number of events when querying over a 6-...

wu_weidong · ‎01-19-2020

I'm trying to create a table over a 6-month period, showing the number of items sold in each month (e.g. 10 ItemA & 20 ItemB in Jan, 15 ItemA & 10 ItemB in Feb, etc). However, when doing a comparison between the number of events returned and the values in the table, I found that there is a difference between the two. For example, the table shows 10 ItemA & 20 ItemB in Jan, but if I only query for Jan events, the actual number of events is 15 ItemA & 25 ItemB.

My query is

index=itemdb `macrotest` (name != "*itemA" AND name != "*itemB") | eval category = case(...) | eval fields = split(name,"_") | eval mname = mvindex(fields,1) | search category = "promo" | search mname = "itemC" | dedup f_1 f_2 | stats count by id _time

My query above is searching only for a specific item, in an attempt to troubleshoot.

If my time range is set to "Last 6 months", I get the following values in the table (showing only Oct, Nov and Dec here):
Oct = 18, Nov = 10, Dec = 11

If my time range is set to "During X 2019", where X is Oct, Nov and Dec, i.e. I search specifically during that month only, I get the following number of events:
Oct = 26, Nov = 14, Dec = 11

Missing events for Nov : 4 events on 30 Nov
Missing events for Oct : 5 events on 31 Oct, and 3 events on 27 Oct

I'm not sure why I get different results using the same query, if I change my time range.

wu_weidong · ‎01-21-2020

I found that if I remove the dedup f_1 f_2 statement, the results match, regardless of whether the query was over 6 months or over a specific month. While I'm glad to finally get the same results, I don't understand why the dedup statement caused the mismatch, when it appears in both queries.

Different number of events when querying over a 6-month period vs 1 month

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!