Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why do I get a different result from tstats when using the time range picker vs using where _time > value?

twinspop
Influencer
‎04-18-2016 04:10 PM

Using the time selector in search I run this search for yesterday (-1d@d to @d; aka 2016-04-17 EDT):

| tstats count min(_time) as Min max(_time) as Max where index=main

2016-04-17 EDT is equivalent to 1460865600 - 1460952000 in "unix" time. If I use those values in the advanced fields of the time range picker, I get the same results (expected). But, if I add those to the tstats command using where, it returns a far smaller count, and the Max and Min values are also a few seconds off.

| tstats count min(_time) as Min max(_time) as Max where index=main and _time>= 1460865600 and _time<= 1460952000

It seems like I should get the same results. What am I missing?

Thanks!

0 Karma
Reply

breddupuis
Explorer
‎12-13-2017 01:42 AM

Can you try this

| tstats count min(_time) as Min max(_time) as Max where index=main AND _time>= 1460865600 AND _time<= 1460952000

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...