Jul 02 2020 12:03 PM
We are getting vastly different results depending on how we search Incidents using Lighthouse Multi-Tenant View.
Scenario:
A) Set filters to pre-built 30d search, filter the workspace we are working on to be the only checked, set filter to look for New/Active. It results in 51 Incidents.
B) Using the same filters except using Custom Date Range for the same 30d only specific start end times, and the results are 429 New/Active Incidents. (ie: june 2, 2020 12p to july 2, 2020 12p)
This is a huge discrepancy with the only variable that changes being the prebuilt timerange and the custom set timerange.
Thoughts?
Jul 04 2020 02:12 AM
This may be a option (if not can you share your query example), did you do this?
| where TimeGenerated > ago(30d)
Then it will run from the time you press return (so maybe 10:04 - my current time). If you need a whole day, then try this, which is from midnight 30days ago.
| where TimeGenerated > startofday(ago(30d))
You may want to combine this with a between to capture. This reminds me I have prepared a Blog on this topic, which I need to finish! There is an endofday option as well..