Just noticed something a little strange,
I am running a query to cont the number of a certain transaction.
When I run this query for a set date say the 23rd of June, it returns about 5.5k results.
Yet if I run the query with a time chart over the span of 1 month, It returns double the results in the count.
When I click into the events from this search it shows the original number as returned by the search of just that day.
Would someone be able to answer why this occurs?
Search query for the single day is:
host=myComputer-* index=index "KeyPhrase" success=True NOT (Content=Test1 OR Content=Test2) Crm=myRequest|stats count
and for the monthly one I run:
host=myComputer-* index=index "KeyPhrase" success=True NOT (Content=Test1 OR Content=Test2) Crm=myRequest|timechart count
any help appreciated.
By default, the
timechart command will create "empty events" for timeslots with no data so that the spacing on the visualization will be even on the X-Axis. I assume this is what you are noticing.
This would result in a double the number of events counted?
Like in my issue when I count the single day events it shows roughly 5.5k.
Yet when I run the monthly time chart search, it counts 11k roughly. as that days number of events.
I click into show events that returns the 11k and it resolves to 5.5k results on the day.
Are you saying that the field
count is doubled? That makes no sense to me.
yeah exactly, so my daily search returns a number or 5326 for the 23rd of June.
yet my search for the entire month of June, on the 23rd shows 10652.
I have this same issue for the following day as well. Yet all the rest of the days of the month or displayed as they should be - counts from timechart search match count from daily count.
Can you try this to see if that makes any difference
host=myComputer- index=index "KeyPhrase" success=True NOT (Content=Test1 OR Content=Test2) Crm=myRequest | bucket span=1d _time | stats count by _time
Nope still the same.
Returns the double value in the statistics tab, for count as 10652, and if I click into the day in questions events, 23rd of June, that returns the correct count of 5326.
Thanks for the input. It is a puzzling issue.
If I change the monthly timechart search to a | stats count by date
it still returns the same wrong result for the dates in question.
The issue is surely that in
chart case you are using
date but in the
timechart case you are using
_time. If the
date field is a
multi-valued field with 2 values, then this will cause doubling. Is this what is happening?
my understanding was the timechart was charting over a period of time, in this case a month, and creating buckets of 1 day for each of the 30.*.
if I do a stats count on that given date 23rd of June, it returns one result.
If i do a stats count by date (buckets of 1 day) over the month, i get the same doubled results.
Even if it was counting double when I click into show events surely then it would have doubled events ? rather than just the half the count value?