I am trying to reference the data from the saved search in my dashboard. In the saved search the span is specified as 1 day so when I source the data from it, it gives me correct results for the first time I run the search with yesterday selected on time picker.
However every time after that, the numbers are getting increased in the dashboard. Even if I select yesterday on the time picker, the numbers are increasing and the same applies for other time ranges as well such as previous month or last 3 months.
I have attached 2 screenshots. In the Scenario 1, the numbers are increasing when I run the search second time with the same time range specified in the saved search i.e 1 day
In the scenario 2, I changed the time picker to previous month and again the numbers are increasing and not matching with the save search result
Any help would be appreciated!!
First of all, never use join
so that's one problem (it does not scale and almost always give wrong and varying results). Second, it is EXTREMELY common for events to be timestamped incorrectly and thrown into the future (we have a Health Check
offering that covers this) so that the later your search runs for any Past
time period, the more
futureevents have trickled into it. To see how bad your problem is, install
Meta Woot!`.
please provide your query's text without sensitive data and explain lookup file and fields.
I think your query:
scenario-1:
index=A source=foo
|stats sum(emails) as emails by type
scenario-2:
index=B rule=* mod=spam
| join type=inner rule [|inputlookup C ]
| bin _time span=1mon
| stats dc(s) as emails by _time type
| collect index=B source=bar testmode=false
| fields - _time
If you output the results to the summary index and search again, the results will increase.