Nov 05 2021 07:07 AM
Nov 05 2021 07:07 AM
Greetings, i am trying to put together a decent workbook for a customer to use for reporting purposes, however i have come across something that might look like a peculiar bug.
When i count the number of incidents for the given time period it doesn't match with what is actually shown in the logs. This picture matches what i can see in the incidents tab and the logs for the time period.
However, when i add the remainder of the summarize line to generate a chart it shows extra count.
Notice the 1 extra Medium severity, 1 extra Informational severity and 2 extra Low severity. Any ideas as to where these 4 extras come from?
Nov 08 2021 02:05 AM
The BIN is rolling all the data for the 'whole' day into the result, the 1st query is only getting the data (I suspect) from when you actually ran the KQL minus 24hrs.
e.g. If TimeRange was set to last 24hrs, and you opened/ran query #1 at 9:00, its looking back to 9:00 the previous days (-24hrs), the BIN is looking back to the midnight, so has an extra 9hrs or different data.
Nov 08 2021 04:18 AM
Thanks for the response, I had a similar thought when i first encountered this, but the bin does not seem to be the cause, or at least not in the way we think.
This is a screen shot from events accumulated in the previous month:
With the accompanying query and graph.
To get a similar number of events i need to add several extra days in the time range if i remove the bin function:
I have added 2 extra days to make sure the bin doesn't gather extra information as well as set the time frame from 00:00
That leaves me with this result. They were obviously not expected to be the same, but just to prove a point that it is not just extra time the bin function has found other incidents.
Adding back the bin function in the last query gives this result:
5 extra events this time around.
Could it be that the bin function somehow counts extra incidents? How does it treat for example an incident that has its severity changed. I suppose it shouldn't show up seeing as i use the dcount(IncidentNumber) however i do summarize based on severity and that might be a source of a duplicate? Or incidents that has happened and the been updated in the next day? Just throwing out ideas.