I ran into the same thing, but I noticed that when I run my queries against a data model that is not accellerated, I get the right results.

Is there a reason why running against a datamodel that is accelerated and the same data model that is not accelerated yield different results?

This thread is more than a year old so you are more likely to get responses by submitting a new question.

Hi @richgalloway 

Thank you for your response. But in my case there are no groups, because i used also another field (id) in by section, which is unique. So I expected to see all events with their original timestamps.

tstats by _time supports the span= argument, so you can do span=1s to get the a 1 second bucket of _time

Hi @LIS 

@richgalloway  is correct, it's due to grouping by the _time field.

If you do want to pull the original _time out of the event then do not group by _time but pull it out as a field value, e.g.

| tstats max(_time) AS _time values(text_len) as text_len  values(ts) as ts where index = data sourcetype = cdr by thread_id num_attempts 

 This assumes that each event has a unique thread_id and num_attempts, but hopefully this demonstrates the difference in what you expected.

tstats still would have modified the timestamps in anticipation of creating groups.  It wouldn't know that would fail until it was too late.

If this was a stats command then you could copy _time to another field for grouping, but I don't know of a way to do that with tstats.