Solved: Inconsistent search result

PeterEccles · ‎12-23-2020

I have been using the range picker for a long time to run a search against data ingested the previous day. I normally use the Date Range picker and select the date between yesterday’s date 00:00 and yesterday’s date 24:00. This has worked fine for me. I was told that I can just use the "Yesterday" preset (or add earliest=-d@d latest=@d to the query). I know its obvious, but I missed it.

I get different results if I use the preset "Yesterday" against what I have been doing with the date picker. This is not a minor difference.

Can anyone think why this might be happening?

Thank you!

PeterEccles · ‎12-24-2020

Please ignore this. I made a mistake 😞

View solution in original post

annbrown · ‎12-24-2020

It's okay, it happens. Meanwhile, I would like to say that I'm a dissertation literature review writer.

PeterEccles · ‎12-24-2020

Please ignore this. I made a mistake 😞

to4kawa · ‎12-23-2020

My sample query's result is following(Today is 12/24):

yesterday: 57,233 events (12/22/20 12:00:00.000 AM to 12/23/20 12:00:00.000 AM) 12/23 00:00:00~24:00:00:123,998 events (12/23/20 12:00:00.000 AM to 12/24/20 12:00:00.000 AM)

I think @d is not the intended date.

PeterEccles · ‎12-24-2020

-d@d is 100% coming back with the correct date (yesterday) it just not the same number of results as when I pick the date from the ranger picker.

Inconsistent search result

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation