Description
Question
Why are there different # of events shown in Dashboard versus the corresponding event search?
Answer
The difference is due to the way dashboards are populated versus historical searches.
For Dashboards
1) Data in dashboards are from summarized data that AO keeps local to speed up generation and display.
2) We keep summarized data that are in 5 minutes buckets. These are then rolled up into 1 hour buckets.
3) For the a dashboard that shows the last 1 hour, it would display the summary of data from the last 12 5-minute buckets.
Example: If it is currently 1:57 PM, the buckets summarized would be from 12:55 to 1:55pm. Any event that has come in between 1:56:00 to 1:57:59 would NOT be included in the summary.
Historical Searches:
1) The events are pulled from the eventdb, not any local store of information.
2) Historical searches will include every event within the time frame set as the criteria for the search.
Real-time Searches:
1) The events are pulled from the event cache, before they are written to the eventdb.
2) Historical searches will include every event within the time frame set as the criteria for the search.
Reports:
1) if "Run Now", then data is pulled from summarized data, if there is as corresponding dashboard, otherwise from event cache.
2) otherwise, the events are pulled from the eventdb, like historical searches.
