I've just started using summary indexes - I have two searches that work as expected on querying data in just the previous day.
I also what a job that queries our unique users over the previous 30 days
Here is my summary query:
event=login
| sistats dc(user_id)
In the UI for Time range I have: from: -30d@d to: @d
and this runs every day at midnight
What I think this does:
query the login events
count the distinct ids for the previous 30 days
store them in a summary index using sistats
My retrieval query is:
event=login
| stats dc(user_id) by _time
What I expect this to do:
return the summarized 30 day distinct count day over day
What I get:
the summarized value for 30 days : SUCCESS!
the timestamp for the count is 30 days ago and not the date of the summary run
Can someone point me to what I am doing wrong? I don't understand why the timestamp is 30 days ago and not the date of the scheduled run