bucket _time produce extra count result

dannili · ‎03-20-2019

I was trying to compare events from the last two days respectively (and it should be last 24 hours instead of the day before 00:00) I used bucket _time to get the count result from each two day by setting time range in the search box as Last 2 days. However, the count produced have three results instead of 2:

index=* 
| *** base search ***
| bucket _time span=24h
| stats count by _time

Here's my result:

_time                              count
2019-03-18 08:00          1
2019-03-19 08:00          11
2019-03-20 08:00          15

But the correct result should be:

_time                           count
2019-03-19 08:00            12
2019-03-20 08:00            15

Does anyone know what's the problem? Thank you so much for the help!

dannili · ‎03-20-2019

Right now my workaround solution is using eval:

| eval _time = _time -28800
| bucket _time span=24h
| eval _time = _time +28800
| stats count by _time

Because I checked the only event on 18th is on 8 AM but I wonder if there's any better solution?

bucket _time produce extra count result

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

Data Management Digest – December 2025

Join the Conversation

bucket _time produce extra count result

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

Data Management Digest – December 2025