topic Re: Same query is giving diff count in dashboard panel and search in Dashboards & Visualizations

Same query is giving diff count in dashboard panel and search

Punnu — Tue, 06 May 2025 23:44:49 GMT

Hello All ,
I am running one query and exactly sme query I am trying to run from search but I am getting diff counts .

```query for apigateway call``` index=aws_np earliest=1746540480 latest=1746544140 Method response body : sourcetype="aws:apigateway" | rex field=_raw "Method response body : (?<json>[^$]+)" | spath input=json path="header.messageID " output=messageID | spath input=json path="payload.statusType.code" output=status | spath input=json path="payload.statusType.text" output=text | spath input=json path="header.action" output=action | where status=200 | rename _time as request_time ```dedupe is added to remove duplicates ``` | dedup messageID | append [ search index="aws_np" earliest=1746540480 latest=1746558480 | rex field=_raw "messageID \": String\(\"(?<messageID >[^\"]+)" | rex field=_raw "source\": String\(\"(?<source>[^\"]+)" | rex field=_raw "type\": String\(\"(?<type>[^\"]+)" | rex field=_raw "detail-type\": String\(\"(?<detail_type>[^\"]+)" | where source="XXX" and type="XXXXX" and detail_type="XXXX" | stats distinct_count( messageID ) as cnt_guid by messageID ,_time ``` by time is added because we are duplicate records of same time and guid ``` | stats count(cnt_guid) as published_count by messageID | dedup messageID | fields messageID , published_count ] | stats values(action) as request_type sum(published_count) as published_count2 by messageID | where isnotnull(request_type) | eventstats sum(published_count2) by request_type| dedup request_type | search request_type="Create" OR request_type="Update" | head 2 | fields sum(published_count2) request_type

So I ran query from dashboard panel and then used RUN Search option to run it direclty but I am getting diff count . Search is giving correct result . Dashboard is giving less

Re: Same query is giving diff count in dashboard panel and search

bowesmana — Wed, 07 May 2025 00:44:22 GMT

How long is your search taking - you are searching a 61 minute window in your outer search and a 5 hour window in your append.

Is the search in your dashboard part of a base search?

How long do each of the individual searches take and if you put both of those individual searches into a dashboard as individual searches, so they give the correct result counts vs. running it as a search directly.

Re: Same query is giving diff count in dashboard panel and search

livehybrid — Wed, 07 May 2025 08:28:55 GMT

Hi @Punnu

Are you running the search manually from the same app context as the dashboard?

It could be that certain field extractions etc work differently if there is an app-context field eval, for example.

Are there any warnings when running it in the UI via the search bar?

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Re: Same query is giving diff count in dashboard panel and search

Punnu — Wed, 07 May 2025 13:49:56 GMT

Hello @bowesmana Yes outer query is for 1 hr and inner is for 5 hrs . Are u saying these two in separate panel and use result of these in third one and append it ?

Re: Same query is giving diff count in dashboard panel and search

bowesmana — Thu, 08 May 2025 00:23:59 GMT

You didn't answer how long your search is running for - I didn't mean the time range, I mean the amount of time the search takes to run. Also, see the other questions.

I'm suggesting you split out the searches just to experiment if both are giving the correct count when run individually in the dashboard AND in a manual search.

If you shorten the time window do the results then work.

You will need to provide more detail. Look at the search job properties and look at result count and scanCount.