Maybe I'm not understanding the way this works, but I have other searches that use it just fine. The only difference is, the searches that give me incorrect results are the ones I am searching two indexes, for instance, search index="example1" OR index="example2".
Anyway, here is a sample search using a 7 day window:
index=example1 OR index=example2
| eval name1=coalesce(lower(name1),lower(name2))
| eventstats values(index) as index values(field7) as field values(field8) as field2
| eval Countdata=if(field="Enabled" AND NOT like(field2, "%excluded%") AND index!="example2","True",null())
| timechart span=1d count(eval(Countdata="True")) AS Count
So there's a simple version of the search. I get accurate numbers when I zero in on specific dates, but when I want to create trend data for a week or larger time range, then I get different counts. The strange thing is, when I click on the day and view events in a different search window I get the correct counts. Is there a way to either correct this or get the weekly trend data without using a 7 day time range?
UPDATE
So I did some major digging to see exactly what events were present on the daily searches but not present on the weekly searches. There are a handful of assets that show up when I search individual days but don't show up when I search the entire week. There isn't really anything unique about them. It seems to be stemming from the search conditions that specifies the index name. I'm not sure why the condition is fulfilled when I search the day, but not when I search the week. I have tried using where statements as well is using the if condition and I have the same issues. I have also tried to use append/join instead of the OR in the search and I still get it as well.
UPDATE 2
So it looks like the issue is with how the data is being laid out in the eventstats command.
| eventstats values(index) AS index dc(index) as Indexcount BY Name
When an item from days 1-5 for instance, goes from being in one index to both indexes, it shows as having been in both indexes for all days, for some reason. Now to figure out why.
Thanks
UPDATE 3 Working
Here is the search that ended up giving me correct numbers - sorting by time seemed to work better then date_mday which was another option, but it limits me
index=index1 OR index=index2 | eval Name=coalesce(lower(Name),lower(Name2)) | bucket _time span=1d| eventstats values(index) as index BY Name,_time | where Status="Enabled" AND (Type="Type1" OR Type="Type2" OR Type="Type3") and index!="bh_lh_encryption" | timechart span=1d dc(Name)
... View more