Solved: Re: Different count results after table/fields

Hsebri · ‎02-26-2024

Hello!

We actually noticed different results in two dashboard panels.

1-With the first, We have used the fields command to specify the fields we needed to work with, then applied a count.

2-In the second, The same query was used with the table command instead of fields and then applying a count

We have noticed different results in count, query number 2 , gave a correct and complete result.

Can someone please explain the difference between the two commands table and fields , and why fiels seems to give missing results

Thank you

PickleRick · ‎02-27-2024

OK. So this is not about the searching itself but rather about the base/post-process search functionality within the dashboard. It's a completely different topic. Base search should be a reporting search and should not return an overly huge number of results. Otherwise you might get into some unpredictable results (and there was definitely something about specifying a list of fields but I can't recall the details).

Anyway, it's usually not a good practice to return a raw list of events from the base search and then postprocess it with stats as the "refining" search. The approach should be to generate all (possibly relatively fairly detailed) stats in the base search and aggregate them the way you want in the post-process search.

View solution in original post

PickleRick · ‎02-27-2024

1. If you want to just count, you don't need to do either fields or table in the first place.

2. Your quesiton lacks details - actual searches run, results and possible warnings/errors you got, your architecture.

3. Did you check the search logs?

4. How do you know which one is the correct result and what does that mean in this context?

Hsebri · ‎02-27-2024

Hello @PickleRick

Thank you for your feedback,

I will try to provide the maximum of details here:

- We have a dashboard using simple searches, in single value panels, in every single value

we have this kind of query : index=x sourcetype=z filter1=a filter2=b | stats dc(value) as nb_value

- For optimization inqueries we had to use a base search containing the first part of the query, when called in a single value panel, it did not provide any result , so we defined the fields we wanted to extract with the fields command and applied the stats dc right after, we have noticed that we had less results (turned also into verbose mode) , when replaced the fields with table command we had the exact number.

PS: we have no errors just noticed the big difference in results , we are in splunkcloud.

Thank you

PickleRick · ‎02-27-2024

OK. So this is not about the searching itself but rather about the base/post-process search functionality within the dashboard. It's a completely different topic. Base search should be a reporting search and should not return an overly huge number of results. Otherwise you might get into some unpredictable results (and there was definitely something about specifying a list of fields but I can't recall the details).

Anyway, it's usually not a good practice to return a raw list of events from the base search and then postprocess it with stats as the "refining" search. The approach should be to generate all (possibly relatively fairly detailed) stats in the base search and aggregate them the way you want in the post-process search.

Hsebri · ‎02-28-2024

Thank you so much

very helpful!

Different count results after table/fields

saved search

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?