I'm attempting to optimize one of our dashboard forms with a scheduled report as a global search that would need to be tokenized and will end up feeding several panels. I was attempting to build the base search and move my filtering tokens further down the query but I'm getting different results than I'm expecting based on the original query. I've double checked the time picker, but I'm not sure what's going on. I'm pretty new to dashboard post processes and global searches, is there a best practice, or SPL notion that I'm missing?
I took the original search
| tstats summariesonly=true allow_old_summaries=true dc(Vulnerabilities.signature) as signature_count from datamodel=Vulnerabilities.Vulnerabilities where (Vulnerabilities.severity="critical" OR Vulnerabilities.severity="high") by Vulnerabilities.dest, _time
| rename "Vulnerabilities.dest" as dest, "Vulnerabilities.*" as "*"
| timechart span=7d avg(signature_count) as current_avg
I removed the timechart command so that I could see the underlying values of the original search. It returns 205,565 statics
| tstats summariesonly=true allow_old_summaries=true dc(Vulnerabilities.signature) as signature_count from datamodel=Vulnerabilities.Vulnerabilities where (Vulnerabilities.severity="critical" OR Vulnerabilities.severity="high") by Vulnerabilities.dest, _time
| rename "Vulnerabilities.dest" as dest, "Vulnerabilities.*" as "*"
My search with the filters moved down that generate 134,197 statistics
| tstats summariesonly=true allow_old_summaries=true dc(Vulnerabilities.signature) as signature_count from datamodel=Vulnerabilities.Vulnerabilities by Vulnerabilities.dest, _time, Vulnerabilities.severity
| rename "Vulnerabilities.dest" as dest, "Vulnerabilities.severity" as severity, "Vulnerabilities.*" as "*"
| search (severity="critical" OR severity="high")
| stats sum(signature_count) as signature_count by dest _time
... View more