cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1300
Views
5
Helpful
1
Replies

Help with discrepancy on reports/query

Rodrigo Gurriti
Level 3
Level 3

Hello

I have a MARS running w/ a few custom reports. I noticed that the custom reports/querys had difference in the data information from the pre-configured reports.

1- Difference - The columns:

Pre-configured

Rank -Total Sessions - Average / Minute - Raw Source IP - Hosts

Custom

Rank - Count (# of Sessions) - Raw Source IP – Hosts

2- Difference - The data:

I have a huge difference on the data, for instance, I’ve attached the 2 prints of the pre-configured report and a custom query. They both have the same time frame.

Query: Activity: All - Top Sources

query.JPG

Pre-configured: Activity: All - Top Sources

report.JPG


The data reported on the pre-configured report is 10x more than the custom query  All the variances are the same, time, destination, source, service etc. Is there a diference on the data collected on the query and custom report to the pre-configured report ?

If i query for the preconfigured "Activity: All - Top Sources", or if i manualy configure it, or if i manualy create a report, the data will be diferente from the pre-configured report.

Does anyone know why ?

Thank you

1 Reply 1

Ronald Anthony
Level 1
Level 1

Hi Rodrigo,

Nope, I don't have an explanation for the presented data.  I would recommend opening a TAC case so we can look at the issue and figure out why the query and the report have different results.

The normal submit-inline query is historical in nature.  That is, it digs out of the database events matching your criteria.  However, scheduled reports are different.  They gather information throughout the period the report is set to retrieve.  It does this in real time, so, it is not an historical query.  This is why you will see the report finished time is very near the end of the query time range.  It already has the data, it just has to finish the report.

In this case, if the query and the scheduled report don't agree, it needs to be looked at.  These mechanisms are not the same.  I would include the screen shots and the version of MARS when opening the case.

I hope this helps.

Ron

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: