Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Different Count for Events over a specified 15 min period

pitt93
New Member
‎02-18-2024 08:11 AM

I am trying to get a understanding why I get a different count total for the number of events for the following searches

1. index=some_specific_index  (Returns the following  total for events 7,601,134)

2. | tstats count where index=some_specific_index (Returns 7,593,248)

 

I do have the same date and time range sent when I run the query.

I understand why tstats and stats have different values.

 

 

 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-18-2024 08:46 AM

In a general case, both

index=whatever | stats count

and

| tstats count where index=whatever

run over a static period of time in the past should give you the same result.

If there is a difference it might mean that you're still ingesting data into that period of time so subsequent runs of either of those commands will yield different results.

But if you have a repeatable two different static values of those searches it might signal bucket corruption.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...