I have this weird issue where the same exact search, run for a same exact period returns different number of events each time it is run. Thus, rendering all attempts for accurate reporting obsolete. It doesn't matter the type of search, for instance, if it has some statistics or it's just plain search - same searches return different results. We've checked all the usual stuff - event sampling is turned off, indexing time is OK and it's not lagging, so no skewing of the results can come from this. Searches are run directly against indexes, no data models are involved and search logs for the searches are identical for the runs compared to each other. What we discovered for sure is, that this issue affects only indexes that are stored in an S3 Storage. Locally kept indexes are fine and do not have this issue. The S3 storage was tested, it is configured correctly, there are no network disruptions, there are no errors in the logs concerning it, there's nothing that could hint a problem. Yet, the problem remains.
Any idea what may be causing this?
Attaching a screenshot just for visualization, and here's the search for which it was made:
index="qualys" sourcetype="qualys:hostDetection" PATCHABLE="YES" NETBIOS="*"
... View more