When I compare the dashboard results for these two simultaneously executed searches below:
(i) malware in last 60 minutes
(ii) malware in last 4 hours
and view the count of occurrences for the same date/timestamp, the occurences count is reported very differently, as follows:
(i) malware in last 60 minutes -> count=49
(ii) malware in last 4 hours -> count=106
Attached are the screenshots below:
Why this discrepancy?
My initial thought is differing bucket sizes. 1 hour vs 1 day or something of that nature. In your search are you statically defining your bucket sizes? Something like this?
| bucket span=1h _time | timechart span=1h count(foo) as count