Solved: Data disappears in expanded search time

michaeler · ‎12-04-2023

I'm trying to have a timechart showing the count of events by a category grouped by week. The search time is controlled by a radio button on the dashboard with options from 1w - 12 weeks with the end date set to @w. I then have a drilldown that shows a table with more info about each event for that category in that time range.

mysearch ....
| dedup case_id
| timechart span=1w count by case_category

The chart looks fine but when I click on certain sections to load the drilldown, much more data appears than was suggested by the count in the timechart. For instance, looking at Nov 19-25, in the timechart it shows 26 events, but when I go to the drilldown it shows 61.

When I open the drilldown search in Search, the issue seems to involve expanding the time range beyond one week. If I change the range from Nov 19-25 to Nov 19-27, the data from Nov 22-24 is either erased or reduced.

Nov 19-25 stats count results:
Nov 19: null
Nov 20: 8
Nov 21: 14
Nov 22: 19 **
Nov 23: 20 **
Nov 24: 1 **
Nov 25: null

Nov 19-28 stats count results:
Nov 19: null
Nov 20: 8
Nov 21: 14
Nov 22: 5 **
Nov 23: null **
Nov 24: null **
Nov 25: null
Nov 26: null
Nov 27: 35
Nov 28: 1

bowesmana · ‎12-04-2023

I suspect there are a couple of things going on.

What is your <drilldown> logic in the XML for picking the start and end data for the drilldown search. If it's not giving you a 7 day range then it seems likely there's an issue there.

Secondly, your primary search is doing dedup case_id.

If your drilldown search is ALSO doing dedup case_id but on a shorter time range, then it's possible that case ids from a date outside the drilldown range that have been deduped are now being counted, i.e. consider

case_id="ABC123" (26 November and also 22 November).

When you dedup on 19-25 November the ABC123 is still counted for 22 November, but when you search 19-27 November, the ABC123 is FIRST found on 26 November, so the count of ABC123 from 22nd November is now removed due to the dedup.

View solution in original post

bowesmana · ‎12-04-2023

I suspect there are a couple of things going on.

What is your <drilldown> logic in the XML for picking the start and end data for the drilldown search. If it's not giving you a 7 day range then it seems likely there's an issue there.

Secondly, your primary search is doing dedup case_id.

If your drilldown search is ALSO doing dedup case_id but on a shorter time range, then it's possible that case ids from a date outside the drilldown range that have been deduped are now being counted, i.e. consider

case_id="ABC123" (26 November and also 22 November).

When you dedup on 19-25 November the ABC123 is still counted for 22 November, but when you search 19-27 November, the ABC123 is FIRST found on 26 November, so the count of ABC123 from 22nd November is now removed due to the dedup.

michaeler · ‎12-05-2023

I was ready to say the dedup wasn't the issue because I thought I previously crossed that off.

The case_id is only supposed to have 2 events; when the case is opened and closed. So I thought each id would only appear twice and the dedup was working in my favor. It looks like I didn't do my due diligence and make sure they're not updated again.

Thanks for forcing me to check back and confirm the case_id's do repeat. I'm glad the solution is simple and something I overlooked.

Pat · ‎12-19-2023

I dunno. I have somewhat of the same issue. A search result shows while its searching and will stay if lower than a certain number of days but then disapears when the search completes over a number of days that is not consistant. So seems related to the length of time of the search. My search has no dedup in it.

Data disappears in expanded search time

count

stats

timechart

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...