Why is stats count by sourcetype missing some sour... - Splunk Community

Splunk Search

index=app_xxxxxxxxx_products cluster_name=dxx-exx-awslab sourcetype=xxxxxxx:deployment-info | stats count by sourcetype

Returns count for the sourcetype but when ran as :

index=app_xxxxxxxxx_products cluster_name=dxx-exx-awslab  | stats count by sourcetype

The results don't include the sourcetype mentioned in firsts search.

Hi dilpreetsingh,
do events with sourcetype=xxxxxxx:deployment-info continously arrive or not?
did you used the same time period (e.g. earliest=-2h@h latest=-h@h)? don't use latest=now.

Bye.
Giuseppe

Get Updates on the Splunk Community!

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...