Forum Discussion
Workbook bug counting too many incidents?
The BIN is rolling all the data for the 'whole' day into the result, the 1st query is only getting the data (I suspect) from when you actually ran the KQL minus 24hrs.
e.g. If TimeRange was set to last 24hrs, and you opened/ran query #1 at 9:00, its looking back to 9:00 the previous days (-24hrs), the BIN is looking back to the midnight, so has an extra 9hrs or different data.
Thanks for the response, I had a similar thought when i first encountered this, but the bin does not seem to be the cause, or at least not in the way we think.
This is a screen shot from events accumulated in the previous month:
With the accompanying query and graph.
To get a similar number of events i need to add several extra days in the time range if i remove the bin function:
I have added 2 extra days to make sure the bin doesn't gather extra information as well as set the time frame from 00:00
That leaves me with this result. They were obviously not expected to be the same, but just to prove a point that it is not just extra time the bin function has found other incidents.
Adding back the bin function in the last query gives this result:
5 extra events this time around.
Could it be that the bin function somehow counts extra incidents? How does it treat for example an incident that has its severity changed. I suppose it shouldn't show up seeing as i use the dcount(IncidentNumber) however i do summarize based on severity and that might be a source of a duplicate? Or incidents that has happened and the been updated in the next day? Just throwing out ideas.