Solved: Re: Inconsistent Predict results

rahulgopal · ‎12-20-2013

Hi

When I compare the dashboard results for these two simultaneously executed searches below:

(i) malware in last 60 minutes

(ii) malware in last 4 hours

and view the count of occurrences for the same date/timestamp, the occurences count is reported very differently, as follows:

(i) malware in last 60 minutes -> count=49

(ii) malware in last 4 hours -> count=106

Attached are the screenshots below:

![4 hours][C:\Temp\4_hrs.jpg]

![60 mins][C:\Temp\60_mins.jpg]

Why this discrepancy?

jordanperks · ‎12-20-2013

I cannot see the jpgs. Can you post your search?

View solution in original post

jordanperks · ‎12-20-2013

I cannot see the jpgs. Can you post your search?

jordanperks · ‎12-20-2013

My initial thought is differing bucket sizes. 1 hour vs 1 day or something of that nature. In your search are you statically defining your bucket sizes? Something like this?

| bucket span=1h _time | timechart span=1h count(foo) as count

rahulgopal · ‎12-20-2013

I've uploaded the jpgs here:

https://www.dropbox.com/s/790dnsdy0bwscb6/4_hrs.jpg

https://www.dropbox.com/s/b6kjx901tuxr86k/60_mins.jpg

Inconsistent Predict results

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!