Hello!

I've recently upgraded a test server of mine from 6.x.x to 7.2.x to find a weird bug and I'm wondering if anyone else is having a similar issue. The following scenario works just fine in 6 but doesn't work in 7. I have a tstats command that requires earliest/latest parameters, then pipes to an addinfo command, but I think I'm getting two different results. It appears that I only get events within the earliest/latest limits, but the addinfo command returns the time picker's earliest/latest limits regardless of time parameters.

Another part I'm finding peculiar is if I don't use tstats and I just do a normal index="my_index" search, everything seems to work as I intended. To put it in a pseudo-code context, I have two searches with the time picker set to last 30 days:

A: | tstats sum(base.purchase) from datamodel=MyDataModel.base where earliest=-7d latest=@d | addinfo

B: index=my_index earliest=-7d latest=@d | stats sum(purchase) | addinfo

Search A and B will both give me a sum of all purchases within the last week, but search A will set the info_min_time value to be the epoch time of 30 days ago (time picker value) while search B will set the info_min_time value to be the epoch time of 7 days ago (the searches earliest parameter).

Has anyone else run into this problem or been able to replicate similar results? Some of the searches I'm running are using a combination of the tstats/earliest/latest/addinfo commands and I'd like to avoid switching from tstats for as long as possible.

Thanks,
James M.