Why are the numbers are increasing when connecting the panel with the saved search?


I am trying to reference the data from the saved search in my dashboard. In the saved search the span is specified as 1 day so when I source the data from it, it gives me correct results for the first time I run the search with yesterday selected on time picker.
However every time after that, the numbers are getting increased in the dashboard. Even if I select yesterday on the time picker, the numbers are increasing and the same applies for other time ranges as well such as previous month or last 3 months.
I have attached 2 screenshots. In the Scenario 1, the numbers are increasing when I run the search second time with the same time range specified in the saved search i.e 1 day
In the scenario 2, I changed the time picker to previous month and again the numbers are increasing and not matching with the save search result
Any help would be appreciated!!
alt text

Tags (1)
0 Karma

Esteemed Legend

First of all, never use join so that's one problem (it does not scale and almost always give wrong and varying results). Second, it is EXTREMELY common for events to be timestamped incorrectly and thrown into the future (we have a Health Check offering that covers this) so that the later your search runs for any Past time period, the morefutureevents have trickled into it. To see how bad your problem is, installMeta Woot!`.

0 Karma

Ultra Champion

please provide your query's text without sensitive data and explain lookup file and fields.
I think your query:


index=A source=foo
|stats sum(emails) as emails by type


index=B rule=* mod=spam
| join type=inner rule [|inputlookup C ]
| bin _time span=1mon
| stats dc(s) as emails by _time type
| collect index=B source=bar testmode=false
| fields - _time

If you output the results to the summary index and search again, the results will increase.

0 Karma
Get Updates on the Splunk Community!

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

Overview Transport Layer Security (TLS) is a security communications protocol that lets two computers, ...

New Customer Testimonials

Enterprises of all sizes and across different industries are accelerating cloud adoption by migrating ...