Inconsistency in search results with time settings...

bo2057 · ‎10-24-2022

Hello,

| transaction RRN keepevicted=t | search date_hour <6

If I execute this search with a specific date(10-10-2022) I get 5 events.

If I execute this search with preset "all-time" I get no results.

If I execute this search with preset "last 30 days" I get no results.

All searches done in verbose mode.

Why don't I get results with preset "all-time" and/or " last 30 days"

Thanks

gcusello · ‎10-24-2022

it's a strange behavior, did you use the same Search Mode=Verbose in all the tests?

Anyway, if possible avoid to use the transaction command that's very slow, and try to use stats, something like this:

<your_search>
| stats min(date_hour) AS date_hour BY RRN 
| search date_hour<6

Ciao.

Giuseppe

bo2057 · ‎10-24-2022

Hi Giuseppe,

Yes all searches were done in verbose mode. Using stats in no option because I have to concatenate 3 events into 1.

Inconsistency in search results with time settings?