Has anyone had any experience, getting different results depending on the date modifiers used to control the dates?
I have a basic search that seems to give different results depending on the date selectors I use.
I want to be able to control the date within the search because I am trying to join different searches together, but when I use it, I get different results as I show below:
I expect 2 and 3 to be the right answer.
no - day & value - time modifier in search - time range selected from the drop-down - no of events for the 7th Feb
1 - 7 feb 2016 27410.63 - no time modifier in the search - all time selected in the presets drop-down time selector - ?? events
1A - 7 feb 2016 32304.73 - no time modifier in the search - Last 30 Days selected in the presets dropdown time selector - 192 events
2 - 7 feb 2016 16152.36 - no time modifier in the search - Date-range from the drop-down time selector between 01/02/2016 and 29/02/2016 selected - 96 events
3 - 7 feb 2016 16152.36 - no time modifier in the search - Date-range from the drop-down time selector between 07/02/2016 and 07/02/2016 selected - 96 events
4 - 7 feb 2016 32304.73 -
earliest=-30d in the search - all time selected in the presets drop-down time selector - 192 events
5 - 7 feb 2016 32304.73 -
starttime= 01/01/2016:00:00:00 in the search - all time selected in the presets dropdown time selector - 192 events
But I am not sure why I am getting the others?
For instance 16152.36 is the answer I would expect for 7 feb and this can be achieved using 2 & 3 above (using the Date-range from the drop-down time selector)
but I get double the answer 32304.73 when I include a date modifier in the search(which is what I want to be able to do). (Also this happens for a 2 week period, and other periods are okay.
And within this 2 week period it is not always double)
Also, with no 1 search above, i get a different answer altogether (27410.63 all time selected in the presets drop-down time selector)
So basically is the data stored doubled in places? If so why does it not appear when I use the drop-down time selector?
Really appreciate any help/pointers.
The above table can be explained as follows:
no - the search no.
day & value - the value of the chosen field for a specific date
time modifier in search - the time modifier I want to use to control in the search e.g.
time range selected from the dropdown - the time range selected using the dropdown date picker in the top right of the search bar
no of events for the 7th Feb - this is the number of events seen on the 7th feb
My search looks like this (when I want to control the dates searched I use
and place it after
duration=PT3600S and befor the
index=core host="snzclakl598" elementType=UGW measObjLdn=*"/UGW Function:"* measInfoId=134221229 OR measInfoId=138412032 duration=PT3600S | eval c138412090_KB_MB=c138412090/1000 | eval c138412094_KB_MB=c138412094/1000 | timechart span=d sum(c134686691) AS "Gi downlink traffic in MB" sum(c134686689) AS "Gi uplink traffic in MB" sum(c138412090_KB_MB) AS "SGi downlink user traffic in MB" sum(c138412094_KB_MB) AS "SGi uplink user traffic in MB" | addtotals fieldname=GiTotalAmount_MB Gi* | addtotals fieldname=SGiTotalAmount_MB SGi* | eval GiTotalAmount_GB=GiTotalAmount_MB*1000000/1024/1024/1024 | eval SGiTotalAmount_GB=SGiTotalAmount_MB*1000000/1024/1024/1024 | fields + _time SGiTotalAmount_GB GiTotalAmount_GB
I'm only guessing, but I wonder if it has to do with the snap-to value. Do you get different results if you run the -30d searches at different times of the day? What if you were to use -30d@d instead to snap to the day.
Not sure if the timechart documentation will be helpful here, but lots of info about the various span/bucket options