I'm trying to create a table over a 6-month period, showing the number of items sold in each month (e.g. 10 ItemA & 20 ItemB in Jan, 15 ItemA & 10 ItemB in Feb, etc). However, when doing a comparison between the number of events returned and the values in the table, I found that there is a difference between the two. For example, the table shows 10 ItemA & 20 ItemB in Jan, but if I only query for Jan events, the actual number of events is 15 ItemA & 25 ItemB.

My query is

index=itemdb `macrotest` (name != "*itemA" AND name != "*itemB") | eval category = case(...) | eval fields = split(name,"_") | eval mname = mvindex(fields,1) | search category = "promo" | search mname = "itemC" | dedup f_1 f_2 | stats count by id _time

My query above is searching only for a specific item, in an attempt to troubleshoot.

If my time range is set to "Last 6 months", I get the following values in the table (showing only Oct, Nov and Dec here):
Oct = 18, Nov = 10, Dec = 11

If my time range is set to "During X 2019", where X is Oct, Nov and Dec, i.e. I search specifically during that month only, I get the following number of events:
Oct = 26, Nov = 14, Dec = 11

Missing events for Nov : 4 events on 30 Nov
Missing events for Oct : 5 events on 31 Oct, and 3 events on 27 Oct

I'm not sure why I get different results using the same query, if I change my time range.