https://community.splunk.com/t5/Splunk-Search/Conflicting-Event-count-in-Search-App-based-upon-time-range/m-p/190584#M54887 <P>The discrepancy is caused by the differing bucket spans. Without specifying anything, a four-hour timechart will use buckets that span five minutes while a one-hour timechart will use buckets that span one minute.</P> <P>If you add up the one-hour timechart's buckets for :45, :46, :47, :48, and :49 you will get 194.</P> Fri, 27 Dec 2013 08:55:08 GMT martin_mueller 2013-12-27T08:55:08Z https://community.splunk.com/t5/Splunk-Search/Conflicting-Event-count-in-Search-App-based-upon-time-range/m-p/190580#M54883 <P>I executed this search on my data, over two different time ranges:</P> <P>"malware" | timechart count </P> <P>The time ranges were:</P> <P>1) Last 4 hours</P> <P>2) Last 60 minutes</P> <P>The event count in the results, for a selected specific time stamp, were differently reported by the two searches above.</P> <P>For instance, for the selected time of 10:45 am in the search results:</P> <P>1) "Last 4 hours" reported the event count as 194</P> <P>2) "Last 60 minutes" reported the event count as 32</P> <P>Why this huge discrepancy ?</P> Thu, 26 Dec 2013 16:51:36 GMT https://community.splunk.com/t5/Splunk-Search/Conflicting-Event-count-in-Search-App-based-upon-time-range/m-p/190580#M54883 rahulgopal 2013-12-26T16:51:36Z https://community.splunk.com/t5/Splunk-Search/Conflicting-Event-count-in-Search-App-based-upon-time-range/m-p/190581#M54884 <P>The screenshots can be accessed here:</P> <P>1) Last 4 hours<BR /> <A href="https://www.dropbox.com/s/nfncfxdrd5elqc7/count_4_hrs.jpg">https://www.dropbox.com/s/nfncfxdrd5elqc7/count_4_hrs.jpg</A></P> <P>2) Last 60 minutes<BR /> <A href="https://www.dropbox.com/s/4qfm3kon3uem6g7/count_60_mins.jpg">https://www.dropbox.com/s/4qfm3kon3uem6g7/count_60_mins.jpg</A></P> Thu, 26 Dec 2013 16:55:30 GMT https://community.splunk.com/t5/Splunk-Search/Conflicting-Event-count-in-Search-App-based-upon-time-range/m-p/190581#M54884 rahulgopal 2013-12-26T16:55:30Z https://community.splunk.com/t5/Splunk-Search/Conflicting-Event-count-in-Search-App-based-upon-time-range/m-p/190582#M54885 <P>Upon further investigation, it appears it may be a bug in the Splunk search itself.</P> <P>See my post about it at - "<A href="http://answers.splunk.com/answers/116526/conflicting-event-count-in-search-app-based-upon-time-range">http://answers.splunk.com/answers/116526/conflicting-event-count-in-search-app-based-upon-time-range</A>"</P> Thu, 26 Dec 2013 16:58:18 GMT https://community.splunk.com/t5/Splunk-Search/Conflicting-Event-count-in-Search-App-based-upon-time-range/m-p/190582#M54885 rahulgopal 2013-12-26T16:58:18Z https://community.splunk.com/t5/Splunk-Search/Conflicting-Event-count-in-Search-App-based-upon-time-range/m-p/190583#M54886 <P>I found the issue on Splunk v5.0.3, and also on Splunk v6.</P> <P>The screenshots from Splunk v6 can be accessed at:</P> <P>1) Last 4 hours<BR /> <A href="https://www.dropbox.com/s/2ogseohypers9oy/count_4_hrs_Splunk6.jpg">https://www.dropbox.com/s/2ogseohypers9oy/count_4_hrs_Splunk6.jpg</A></P> <P>2) Last 60 minutes<BR /> <A href="https://www.dropbox.com/s/9gjrlj3651iyz5d/count_60_mins_Splunk6.jpg">https://www.dropbox.com/s/9gjrlj3651iyz5d/count_60_mins_Splunk6.jpg</A></P> Thu, 26 Dec 2013 17:11:59 GMT https://community.splunk.com/t5/Splunk-Search/Conflicting-Event-count-in-Search-App-based-upon-time-range/m-p/190583#M54886 rahulgopal 2013-12-26T17:11:59Z https://community.splunk.com/t5/Splunk-Search/Conflicting-Event-count-in-Search-App-based-upon-time-range/m-p/190584#M54887 <P>The discrepancy is caused by the differing bucket spans. Without specifying anything, a four-hour timechart will use buckets that span five minutes while a one-hour timechart will use buckets that span one minute.</P> <P>If you add up the one-hour timechart's buckets for :45, :46, :47, :48, and :49 you will get 194.</P> Fri, 27 Dec 2013 08:55:08 GMT https://community.splunk.com/t5/Splunk-Search/Conflicting-Event-count-in-Search-App-based-upon-time-range/m-p/190584#M54887 martin_mueller 2013-12-27T08:55:08Z