We are running SE 6.5.4, ES 4.7.1, Splunk_SA_CIM - 4.8.0
I'm getting a discrepancy between 3 searches over the exact same 15 minute period (any given 15 minute period) for the following 3 searches:
| tstats count FROM datamodel=Web WHERE Web.action=blocked BY Web.category (test case: 49 results)
| tstats `summariesonly` count FROM datamodel=Web WHERE Web.action=blocked BY Web.category (test case: 44 results)
index=XXXX_proxy action=blocked | stats count by category (test case: 49 results)
Web datamodel is accelerated, Earliest time as set in CIM setup = 2 month
The disparity is not consistent. Sometimes the result count is equal for all 3 searches, sometimes the 2 data model searches are equal and raw is different, etc.
This is making us question the validity of our data models, it seems all three result sets should be the same.
How should I troubleshoot this?
↧