Wow that's creepy. I think it has to be a bug, maybe in append or maybe in something deeper. But whatever it is, it seems like it happens if you alter the _time values while you're still in the subsearch brackets. What happens if you do is that most of the rows get yanked out of existence and never get appended. Why most of them and not all of them, I don't know. I've run lots of different searches with different data and timechart/stats etc... and it really seems to be caused only by monkeying with _time values while in the square brackets of an append.
Here's a more generic example. This search should work, but it doesn't. Most of the "yesterday" events get mysteriously removed.
* earliest="@d+11h" latest="@d+11h+15min" | eval marker="today" | append [search * earliest="-1d@d+11h" latest="-1d@d+11h+15min" | eval marker="yesterday" | eval _time=_time+(60*60*24)] | timechart count by marker
but this very similar search works perfectly.
* earliest="@d+11h" latest="@d+11h+15min" | eval marker="today" | append [search * earliest="-1d@d+11h" latest="-1d@d+11h+15min" | eval marker="yesterday"] | eval _time=if(marker=="yesterday",_time+(60*60*24),_time) | timechart count by marker
And if you go back to that first search and you just remove the eval clause, suddenly you get all the events from yesterday coming out of append correctly.
You can do it with any command, not just with timechart. Here we should end up with two buckets - each with 1000 events (assuming you generally have >1000 events per 15min period in your main index). But this one is missing most of the "yesterday" events.
* earliest="@d+11h" latest="@d+11h+15min" | head 1000 | eval marker="today" | append [search * earliest="-1d@d+11h" latest="-1d@d+11h+15min" | eval marker="yesterday" | eval _time=_time+(60*60*24) | head 1000] | stats count by marker
and this one has them all.
* earliest="@d+11h" latest="@d+11h+15min" | head 1000 | eval marker="today" | append [search * earliest="-1d@d+11h" latest="-1d@d+11h+15min" | eval marker="yesterday" | head 1000] | eval _time=if(marker=="yesterday",_time+(60*60*24),_time) | stats count by marker
... View more