topic Re: timechart count against si gives different max results for 2 intervals in Knowledge Management

timechart count against si gives different max results for 2 intervals

Starlette — Mon, 28 Sep 2020 09:58:14 GMT

I have si search "save" for every 5 mins as :

search = sourcetype="cisco_firewall" | sitimechart count

When running a report for last hour :
search = index=summary marker=cisco_firewall_05 | timechart count

I get line which is 200.000 events

BUT when i ran a "last 4 hours", I get a line in the +1milion count.
I doubt that i am using count over time wrong with si or is this unexpexted behaviour.

if I take a look at a slice for 5 mins in e.g. last 30 mins i get

10/10/11 11:30:00.000 AM 248483
10/10/11 11:31:00.000 AM 252576
10/10/11 11:32:00.000 AM 256538
10/10/11 11:33:00.000 AM 249775
10/10/11 11:34:00.000 AM 246672
10/10/11 11:35:00.000 AM 245773

And for last 4 hours i see 5 minutes bins wich are give the totals...

10/10/11 9:45:00.000 AM 1166499
10/10/11 9:50:00.000 AM 1201649
10/10/11 9:55:00.000 AM 1170088
10/10/11 10:00:00.000 AM 1186497
10/10/11 10:05:00.000 AM 1189967

So how to deal with this?

Re: timechart count against si gives different max results for 2 intervals

Drainy — Mon, 10 Oct 2011 10:25:07 GMT

I would try setting the span on the timechart command as you may find it is trying to figure one out itself which is giving inconsistent results.
Try span=5m to test 🙂

Re: timechart count against si gives different max results for 2 intervals

Starlette — Mon, 10 Oct 2011 10:28:27 GMT

yeah that was the trick,,,,After the + hours the span=5 minutes is added, so thats why within the hour the results are 1/5 off ( just use 1 minute)