I have created a query and sending the results of the query to summary index using collect command.
I have scheduled a report containing the same query which runs every 4 hour.
The issue is the scheduled report is generating lesser results than the results I get if I run the same query in the verbose mode in UI.
Note : The query which we have scheduled gives correct results when we run it in verbose mode. In fast mode, it gives different results.
For your reference, the query in the scheduled report is :
(index=abc sourcetype=abcd earliest=-4h@h latest=@h) OR (index=xyz source="24*xyz"earliest=-30d@d latest=@d)
| eval N=coalesce(N,DPC) , O=coalesce(O,OPC) , K=coalesce(K,CIC)
| search N=* AND O=* AND K=*
| eventstats values(OPC) as OPC values(DPC) as DPC values(CLLI) as CLLI values(ADMIN) as ADMIN values(ANUM) as ANUM values(TRSIZ) as TRSIZ values(NETNAME) as NETNAME values(STCH) as STCH values(MEMNAME) as MEMNAME values(ROUTESET) as ROUTESET values(CIC) as CIC by N O K
| fields A B C D E F G H I J L M P Q R S T U V W X Y Z A1 A2 A3 A4 A5 N OPC O DPC K CIC CLLI ADMIN ANUM TRSIZ NETNAME STCH MEMNAME ROUTESET
| table _time A B C D E F G H I J L M P Q R S T U V W X Y Z A1 A2 A3 A4 A5 N OPC O DPC K CIC CLLI ADMIN ANUM TRSIZ NETNAME STCH MEMNAME ROUTESET
| search OPC=* AND DPC=* AND A=*
| collect index=abc_xyz source="abc"
... View more