I'm writing a search to see abnormally high or low levels of traffic from forwarders on a day-to-day basis: getting the previous day's sum of kb, doing an outer join to the previous 7 day's sum of kb.
The interesting issue is that I have part of the search that gives me different results when run inside a join and by itself. This search:
index=_internal source=*metrics.log group="tcpin_connections" earliest="8/20/2015:00:00:00" latest="8/27/2015:00:00:00"
| stats sum(kb) as pKb, min(_time) as t1, max(_time) as t2, values(sourceHost) as pSh, values(hostname) as pH, dc(sourceHost) as pShC, dc(hostname) as pHC by guid
| convert ctime(t1) as pT1| convert ctime(t2) as pT2
| fields pH, pSh, guid, pT1, pT2, pKb, pShC, pHC
| sort pH
gives sensible and seemingly correct values (validated against a pivot and a day-by-day search for the 7 days in question).
This search gives low values for pKb:
index=_internal source=*metrics.log group="tcpin_connections" earliest="8/27/2015:00:00:00" latest="8/28/2015:00:00:00"
| stats sum(kb) as lKb, min(_time) as t1, max(_time) as t2, values(sourceHost) as lSh, values(hostname) as lH, dc(sourceHost) as lShC, dc(hostname) as lHC by guid
| convert ctime(t1) as lT1| convert ctime(t2) as lT2
| fields lH, lSh, guid, lT1, lT2, lKb, lShC, lHC
| join type=outer guid
[search index=_internal source=*metrics.log group="tcpin_connections" earliest="8/20/2015:00:00:00" latest="8/27/2015:00:00:00"
| stats sum(kb) as pKb, min(_time) as t1, max(_time) as t2, values(sourceHost) as pSh, values(hostname) as pH, dc(sourceHost) as pShC, dc(hostname) as pHC by guid
| convert ctime(t1) as pT1| convert ctime(t2) as pT2
| fields pH, pSh, guid, pT1, pT2, pKb, pShC, pHC
]
| sort lH
Any thoughts as why I am getting different results?
... View more