I have a tstats search that isn't returning a count consistently. In the where clause, I have a subsearch for determining the time modifiers.

Here's the search:

| tstats 
    count 
    from datamodel=Vulnerabilities.Vulnerabilities
    where index=qualys_i
    [| search earliest=-4d@d index=_internal host="its-splunk7-hf.ucsd.edu" sourcetype="ta_QualysCloudPlatform*" host_detection ("Done loading detections" OR "Running now") 
    | stats `stime(_time)` `slist(_raw)` count by PID 
    | eval duration = last_seen - first_seen ,earliest = strftime(first_seen - 300, "%m/%d/%Y:%H:%M:%S") ,latest = strftime(last_seen + 300, "%m/%d/%Y:%H:%M:%S") 
    | where count > 1 AND duration < 82800 
    | sort -last_seen 
    | head 1 
    | return earliest latest ]

If I run the subsearch on its own...

earliest=-4d@d index=_internal host="its-splunk7-hf.ucsd.edu" sourcetype="ta_QualysCloudPlatform*" host_detection ("Done loading detections" OR "Running now") 
| stats `stime(_time)` `slist(_raw)` count by PID 
| eval duration = last_seen - first_seen ,earliest = strftime(first_seen - 300, "%m/%d/%Y:%H:%M:%S") ,latest = strftime(last_seen + 300, "%m/%d/%Y:%H:%M:%S") ``` Exclude results that ran over 23 hours or didn't finish ``` 
| where count > 1 AND duration < 82800 
| sort -last_seen 
| head 1 
| return earliest latest

I get the time modifiers accurately (e.g., earliest="11/05/2021:06:25:51" latest="11/05/2021:11:31:12").

When I inspect the job (of the first search), it is able to derive the same time modifiers (in phase0, phase1, and remoteSearch).

The issue - when I run the first search, my count is double. In other words, it's double counting each record. If I explicitly put the time modifiers in place of the subsearch, the count is accurate (not double).

Anyone run into this?