Why do I get a different result from tstats when u...

twinspop · ‎04-18-2016

Using the time selector in search I run this search for yesterday (-1d@d to @d; aka 2016-04-17 EDT):

| tstats count min(_time) as Min max(_time) as Max where index=main

2016-04-17 EDT is equivalent to 1460865600 - 1460952000 in "unix" time. If I use those values in the advanced fields of the time range picker, I get the same results (expected). But, if I add those to the tstats command using where, it returns a far smaller count, and the Max and Min values are also a few seconds off.

| tstats count min(_time) as Min max(_time) as Max where index=main and _time>= 1460865600 and _time<= 1460952000

It seems like I should get the same results. What am I missing?

Thanks!

breddupuis · ‎12-13-2017

Can you try this

| tstats count min(_time) as Min max(_time) as Max where index=main AND _time>= 1460865600 AND _time<= 1460952000

Why do I get a different result from tstats when using the time range picker vs using where _time > value?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation