Hi,
I am trying to collect previous 7 day data for baselines, for selecting the result-set I have tried below searches and got different result in each case.
There are 1,155,072 events indexed in the selected interval.
***`index="my_idx" earliest="-15d@d" latest="-5d@d"`***
gives **1,155,072** events
1. Stats of events of each TYPE
***`index="my_idx" earliest="-15d@d" latest="-5d@d"|stats count by TYPE`***
gives **230,336 events of each** TYPE i.e, a total of **921,344 events**
but actually there are 1,155,072 events in total, why this mismatch?
2. Trying to get events of TYPE=T1, I expected it to yield same event-count in all the cases.
a. ***`index="my_idx" earliest="-15d@d" latest="-5d@d"|where TYPE="T1"`*** gives **288,768** events
b. ***`index="my_idx" earliest="-15d@d" latest="-5d@d" TYPE="T1"`*** gives **253,360** events
c. ***`index="my_idx" earliest="-15d@d" latest="-5d@d"|where TYPE="T1"|stats` *** gives **230,336** events
d. ***`index="my_idx" earliest="-15d@d" latest="-5d@d" TYPE="T1"|stats` *** gives **230,336** events
What is the difference between the search queries 2.a. and 2.b? Which of the two is preferable to use?
Why is there so much inconsistency in the result?
I need to use stats command in my search, but as mentioned above, result count obtained with and without stats is different. Same is the case with use of **table** command. Is there any work-around for this?
Please correct is there something wrong in our approach?
Thanks,
Jincy
↧