How would searching in VERBOSE mode and a strict timerange for
index=foo host=bar | stats count return a much larger value than the number of events I see
Even if I search for
index=foo host=bar in the same time frame I have much less events than what the count reports. What is wrong? How can Splunk count the events with a specific host but then not returning them?
P.S.:please note the attachments evidence
By strict timerange, are you referring to non-relative time?
So when you run stats, its returning a value of 1 and when you strip off stats its returning zero events?
Strange Indeed. Do you get results in statistics tab with something like this?
index=foo host=bar | table _time _raw
Also, did you try running it in different browser?