Bug: Custom Date Searches v 30d option

%3CLINGO-SUB%20id%3D%22lingo-sub-1503256%22%20slang%3D%22en-US%22%3EBug%3A%20Custom%20Date%20Searches%20v%2030d%20option%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1503256%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20getting%20vastly%20different%20results%20depending%20on%20how%20we%20search%20Incidents%20using%20Lighthouse%20Multi-Tenant%20View.%26nbsp%3B%3C%2FP%3E%3CP%3EScenario%3A%3C%2FP%3E%3CP%3EA)%20Set%20filters%20to%20pre-built%2030d%20search%2C%20filter%20the%20workspace%20we%20are%20working%20on%20to%20be%20the%20only%20checked%2C%20set%20filter%20to%20look%20for%20New%2FActive.%20It%20results%20in%2051%20Incidents.%3C%2FP%3E%3CP%3EB)%20Using%20the%20same%20filters%20except%20using%20Custom%20Date%20Range%20for%20the%20same%2030d%20only%20specific%20start%20end%20times%2C%20and%20the%20results%20are%20429%20New%2FActive%20Incidents.%20(ie%3A%20june%202%2C%202020%2012p%20to%20july%202%2C%202020%2012p)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20a%20huge%20discrepancy%20with%20the%20only%20variable%20that%20changes%20being%20the%20prebuilt%20timerange%20and%20the%20custom%20set%20timerange.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThoughts%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Regular Visitor

We are getting vastly different results depending on how we search Incidents using Lighthouse Multi-Tenant View. 

Scenario:

A) Set filters to pre-built 30d search, filter the workspace we are working on to be the only checked, set filter to look for New/Active. It results in 51 Incidents.

B) Using the same filters except using Custom Date Range for the same 30d only specific start end times, and the results are 429 New/Active Incidents. (ie: june 2, 2020 12p to july 2, 2020 12p)

 

This is a huge discrepancy with the only variable that changes being the prebuilt timerange and the custom set timerange. 

 

Thoughts?

1 Reply

@caseytuohey 

 

This may be a option (if not can you share your query example), did you do this? 

 

| where TimeGenerated > ago(30d) 

Then it will run from the time you press return (so maybe 10:04 - my current time).  If you need a whole day, then try this, which is from midnight 30days ago.

| where TimeGenerated > startofday(ago(30d))

You may want to combine this with a between to capture.  This reminds me I have prepared a Blog on this topic, which I need to finish!  There is an endofday option as well..