Re: Longer Period of Time showing Fewer Results??

essklau · ‎06-02-2014

Hi,

I have a search which returns 37 results for one date (May 30), but 0 results for May 30-Jun2. I am failing to see in the search anything that should be using time or cancelling results from a longer search period.

The search is:

eventtype=mssql-audit class_type=U | lookup dm_audit_actions action_id OUTPUT name
| join host, session_id, server_principal_id [ search eventtype=mssql-audit class_type="*" succeeded="true" src_ip="*" | eval src_ip=if(src_ip=="local machine",host,src_ip) | stats values(src_ip) as src_ip by host,session_id,server_principal_id ]

So why does a search give me results for a period of time, but no results for "period of time" + a day?

Any suggestions would be appreciated.

somesoni2 · ‎06-02-2014

Could you check if individual searches (main search and subsearch) are returning data, for the period May30-Jun02, independently? and have matching events so that join can be applied?

hagjos43 · ‎06-02-2014

try this to help diagnose your problem.

Apply a _time bucket within your query and do a |stats count by _time

| bucket _time span=24h | stats count by _time

essklau · ‎06-02-2014

I switched the span to 1h. There are events in the one day search that break down as expected by the hour. The one day + more days search still returns zero results.

Longer Period of Time showing Fewer Results??

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

IM Landing Page Filter - Now Available

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud