Stats count
returns nine events for Points-1 & 2.
But as shown in the point-3 below, the actual events count is three.
Why is stats count
is displaying more? please help.
These fields are extracted manually. Verbose search did not help too.
1) Output:9
index="index_test1" sourcetype="st_test1" Statusfield="Failure" Service_Name="Service1" Hostname="myhost1"|stats count as Failed
2) Output: myhost1 -> 9
index="index_test1" sourcetype="st_test1" Statusfield="Failure" Service_Name="Service1" Hostname="myhost1"|stats count by Hostname
3) Output: 3 events
index="index_test1" sourcetype="st_test1" Statusfield="Failure" Service_Name="Service1" Hostname="myhost1"
For the individual events is Hostname extracted multiple times? (also is your first query actually stats count(Hostname) as failed
instead of stats count as failed
)?
Take this as a runanywhere example:
|makeresults count=3 | eval Hostname=mvappend("myhost1","myhost1","myhost1")
I have 3 results, each result has extracted Hostname "myhost1" three times.
doing | stats count(Hostname)
after this would return 9 as does | stats count by Hostname
... but you can see | stats count
returns 3 and |stats dc(Hostname)
returns 1
Or all together:
|makeresults count=3 | eval Hostname=mvappend("myhost1","myhost1","myhost1") | multireport [stats count(Hostname) as n1] [stats count as n2 by Hostname] [stats count as n3] [stats dc(Hostname) as n4] [noop]
I have extracted Hostname only once.
For me | stats count
returns 9, even though the actual event count is 3 in search.
But in dashbaord both the | stats count
and even count are showing 9.
This is the description on the Splunk site for stats: Calculates aggregate statistics over the results set, such as average, count, and sum. The only thing I can think of is that it is aggregating the events so that you are seeing the same results but in different ways. I'm very new to Splunk though, so I could very well be wrong
Stats count returns 9.
Three different events gets displayed that are actually present.
Are there multiple outputs that are the same? Is it outputting the same thing three times, for the three events you have?
The mismatch of count and events happen to some values, not to all..
Three different events gets displayed that are actually present.
So there are 6 events that are displayed when using stats count that aren't any of the three that are displayed normally?
Yes. In many cases. Many a times the stats count is more than the actual events present.