Why are the numbers are increasing when connecting the panel with the saved search?


I am trying to reference the data from the saved search in my dashboard. In the saved search the span is specified as 1 day so when I source the data from it, it gives me correct results for the first time I run the search with yesterday selected on time picker.
However every time after that, the numbers are getting increased in the dashboard. Even if I select yesterday on the time picker, the numbers are increasing and the same applies for other time ranges as well such as previous month or last 3 months.
I have attached 2 screenshots. In the Scenario 1, the numbers are increasing when I run the search second time with the same time range specified in the saved search i.e 1 day
In the scenario 2, I changed the time picker to previous month and again the numbers are increasing and not matching with the save search result
Any help would be appreciated!!
alt text

Tags (1)
0 Karma

Esteemed Legend

First of all, never use join so that's one problem (it does not scale and almost always give wrong and varying results). Second, it is EXTREMELY common for events to be timestamped incorrectly and thrown into the future (we have a Health Check offering that covers this) so that the later your search runs for any Past time period, the morefutureevents have trickled into it. To see how bad your problem is, installMeta Woot!`.

0 Karma

Ultra Champion

please provide your query's text without sensitive data and explain lookup file and fields.
I think your query:


index=A source=foo
|stats sum(emails) as emails by type


index=B rule=* mod=spam
| join type=inner rule [|inputlookup C ]
| bin _time span=1mon
| stats dc(s) as emails by _time type
| collect index=B source=bar testmode=false
| fields - _time

If you output the results to the summary index and search again, the results will increase.

0 Karma
Get Updates on the Splunk Community!

There's No Place Like Chrome and the Splunk Platform

Watch On DemandMalware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

The Great Resilience Quest: 5th Leaderboard Update

The fifth leaderboard update for The Great Resilience Quest is out >> 🏆 Check out the ...

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...