Solved: Re: Inconsistent search result

PeterEccles · ‎12-23-2020

I have been using the range picker for a long time to run a search against data ingested the previous day. I normally use the Date Range picker and select the date between yesterday’s date 00:00 and yesterday’s date 24:00. This has worked fine for me. I was told that I can just use the "Yesterday" preset (or add earliest=-d@d latest=@d to the query). I know its obvious, but I missed it.

I get different results if I use the preset "Yesterday" against what I have been doing with the date picker. This is not a minor difference.

Can anyone think why this might be happening?

Thank you!

PeterEccles · ‎12-24-2020

Please ignore this. I made a mistake 😞

View solution in original post

annbrown · ‎12-24-2020

It's okay, it happens. Meanwhile, I would like to say that I'm a dissertation literature review writer.

PeterEccles · ‎12-24-2020

Please ignore this. I made a mistake 😞

to4kawa · ‎12-23-2020

My sample query's result is following(Today is 12/24):

yesterday: 57,233 events (12/22/20 12:00:00.000 AM to 12/23/20 12:00:00.000 AM) 12/23 00:00:00~24:00:00:123,998 events (12/23/20 12:00:00.000 AM to 12/24/20 12:00:00.000 AM)

I think @d is not the intended date.

PeterEccles · ‎12-24-2020

-d@d is 100% coming back with the correct date (yesterday) it just not the same number of results as when I pick the date from the ranger picker.

Inconsistent search result

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

What’s New in Splunk Observability Cloud: January Feature Highlights & Deep Dives

Join the Conversation

Inconsistent search result

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

What’s New in Splunk Observability Cloud: January Feature Highlights & Deep Dives