I’m running the below search against the ‘Web’ data model in ES. Everything works fine with the exception that the ‘historical_count’ is off. For some reason we’re getting lower historical values for some hosts than current, which should be impossible since the historical search encompasses the same hour as the current (plus an additional 23h).
I’ve tried separating the searches and I’m still seeing higher counts over the shorter 1h period than the 24h (not for all hosts, just some). Any ideas?
_| tstats dc(Web.http_user_agent) as current_count from datamodel=Web where earliest=-1h@h latest=+0s Web.http_user_agent!=unknown groupby "Web.src"
| appendcols [| tstats dc(Web.http_user_agent) as historical_count from datamodel=Web where earliest=-24h@h latest=+0s Web.http_user_agent!=unknown groupby "Web.src"]_
↧