Using the time selector in search I run this search for yesterday (-1d@d to @d; aka 2016-04-17 EDT):
| tstats count min(_time) as Min max(_time) as Max where index=main
2016-04-17 EDT is equivalent to 1460865600 - 1460952000 in "unix" time. If I use those values in the advanced fields of the time range picker, I get the same results (expected). But, if I add those to the `tstats` command using where, it returns a far smaller count, and the Max and Min values are also a few seconds off.
| tstats count min(_time) as Min max(_time) as Max where index=main and _time>= 1460865600 and _time<= 1460952000
It seems like I should get the same results. What am I missing?
Thanks!
↧