index=ng [search index=ng | streamstats count as DuplicateNumber by _raw,_time| search DuplicateNumber>1 | stats count max(DuplicateNumber) by _raw,_time | fields _raw,_time]
For this search I do get 0 events - on the instance with splunk 6.2 and 6.3 - so this time both versions of splunk agree for above query that there are 0 events - which is strange.
Right afterwards I ran the query from before once again:
index=ng | streamstats count as DuplicateNumber by _raw,_time| search DuplicateNumber>1 | stats count max(DuplicateNumber) by _raw,_time
splunk 6.2 instance returns 0 events
splunk 6.3 instance returns 7267 events
btw. the date range for all queries was 01.02.2016 to 08.02.2016.
If splunk 6.2 is wrong in telling me that there are no duplicates, as you assume, then I do not understand why I cannot find the duplicates that splunk 6.3 identifies using streamstats.
I took parameters of the events that splunk 6.3 identified with the query
index=ng | streamstats count as DuplicateNumber by _raw,_time| search DuplicateNumber>1 | stats count max(DuplicateNumber) by _raw,_time
e.g. one of the duplicates contains a unique number in the message part.
If I search for this unique number I would expect to get more than 1 event in return, as the query above clearly states that this is a duplicate event.
I searched for this unique number in index ng - date/time picker was set to All time: I could find only one event - so no duplicate events in this index.
In my opinion the splunk 6.3 streamstats function has a bug and returns wrong results OR there was some new feature introduced in splunk 6.3 that has some side effects like the one with streamstats.
... View more