Hi! I have two identical searches running on the same search head but with different time frames. What confuses me is that where the searches overlap in time, the results are different from one to the other, which doesn't make much sense to me. The two searches are:
index=XXXXXXXXXXXX sourcetype=XXXXXXXXXXX earliest=0 latest=@h | dedup src_ip sortby +_time | table src_ip,_time
and
index=XXXXXXXXXXXX sourcetype=XXXXXXXXXXX earliest=-1h@h latest=@h | dedup src_ip sortby +_time | table src_ip,_time
As you can see the searches are identical except for the time frames. When I run the second search it results in MORE events over the last hour of the search than the first search over the same last hour. The searches are run at the same time. Any ideas why this happens?
↧
