Reporting

Why are the numbers are increasing when connecting the panel with the saved search?

khojas02
Engager

I am trying to reference the data from the saved search in my dashboard. In the saved search the span is specified as 1 day so when I source the data from it, it gives me correct results for the first time I run the search with yesterday selected on time picker.
However every time after that, the numbers are getting increased in the dashboard. Even if I select yesterday on the time picker, the numbers are increasing and the same applies for other time ranges as well such as previous month or last 3 months.
I have attached 2 screenshots. In the Scenario 1, the numbers are increasing when I run the search second time with the same time range specified in the saved search i.e 1 day
In the scenario 2, I changed the time picker to previous month and again the numbers are increasing and not matching with the save search result
Any help would be appreciated!!
alt text

Tags (1)
0 Karma

woodcock
Esteemed Legend

First of all, never use join so that's one problem (it does not scale and almost always give wrong and varying results). Second, it is EXTREMELY common for events to be timestamped incorrectly and thrown into the future (we have a Health Check offering that covers this) so that the later your search runs for any Past time period, the morefutureevents have trickled into it. To see how bad your problem is, installMeta Woot!`.

0 Karma

to4kawa
Ultra Champion

please provide your query's text without sensitive data and explain lookup file and fields.
I think your query:

scenario-1:

index=A source=foo
|stats sum(emails) as emails by type

scenario-2:

index=B rule=* mod=spam
| join type=inner rule [|inputlookup C ]
| bin _time span=1mon
| stats dc(s) as emails by _time type
| collect index=B source=bar testmode=false
| fields - _time

If you output the results to the summary index and search again, the results will increase.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...