Hi All,  I am confused as in why earliest time modifier is not working out in my case ? Someone pls clarify why is splunk displaying the results this way ?

Below is my search 

(index=linux source="/var/log/secure" "Failed password") earliest=-1d
| stats latest(_time) as _time, values(host), values(dest_ip), values(source), values(src_ip), values(src), dc(src_ip) as srcIpCount, dc(src) as srcCount, values(user), dc(user) as userCount, count as failures by src_ip dest
| rename values(*) as *
| table _time dest dest_ip host source srcIpCount src_ip srcCount src userCount user failures
| where failures>10 AND userCount>1

This does not show any results with earliest = -1d ( Today being Nov 2 2021)

Now if i change earliest=-7d , then it shows results where _time = Nov 1 2021 which is yesterday.  Below screenshot.    Why didn't earliest = -1d or even -2d show these results ?  What is making -7d pick these up but not -1d or -2d ?