I have created a summary index, from the following query (i called it base query), and the summary index configured to run every 15min, time range is -17 to -2 mins.
source= | sistats avg(response_time) count by source, server_name, status_code, application
When i compare the result between the summary index and the base query in the same period, like yesterday with\without the 15 mins windows adjustment. There is a huge difference in the results, it does not matter count by source, server_name, status_code or application by itself.
source= | stats count by source
vs
index=summary search_name="summary_web_sistats" | stats count by source
What i did wrong here? Does anyone have the same issue using summary index?
I have never faced the same issue, but I sometimes see similar issue in my labo. As for my case, timestamp of indexed log was not correct or splunk took time to index the data due to some reasons. I am not sure if these factor is related to your case. But if timestamp of log or indexing time is not accurate, this affect summary index results.
