@kpavan wrote:
But actual data per day is something above 25k, but because of data is getting split so number showing very less per day wise as above table.
... so on, if I change earliest and latest to get last 7 days i get above 25k or 26k but if use timechart then its half the number.
I think you misunderstood what timechart span=1d does. The problem does not exist. Let me break down a little.
First, if you perform
index=something sourcetype=something earliest=-1d@d latest=-0d@d
| stats max(_time) as _time dc(id) as total
you'll get something like
Then, perform
index=something sourcetype=something earliest=-2d@d latest=-1d@d
| stats max(_time) as _time dc(id) as total
output will look like
and so on. The point is, this sequence is exactly what timechart span=1d@d does. Timechart does not reduce counts by half; it simply performs the count day by day, day after day.
Secondly, why does
index=something sourcetype=something earliest=-7d@d latest=@d
| stats dc(id) as total
end up only 26894 instead of the sum of the 7 days of timechart, i.e., ~ 90,000? That's because you are performing distinct count (dc). There are large number of overlaps in field id day over day. For example, if on day one, id A, B, and C appears, on day two, A, C, and D appears, your dc(id) will be 3 on both days individually; that's what timechart span=1d will show. But if you set earliest=-2d and perform dc(id), the output will be 4.
Do another experiment:
index=something sourcetype=something earliest=-7d@d latest=@d
| timechart span=7d dc(id) as total
This will give you that magical number ~27,000.
All this is a long way to say that timechart span=1d is really giving correct results (as far as dc is concerned).
