I’ve created several queries using nearly the same pattern. One query obtains all the data according to the filters configured and the second one, apart from the filters the one has, uses one extra condition: to obtain the data with a response time more or equal to 5.
The first query:
sum(count_over_time({environment=“PRO”, service=“OSB_ATM”} |~ \t([0-9]{1,}\.[0-9]{1,})\t | pattern <month> <day> <loki_hour> <server> <_>:<date> <time> <ip> <response_time> <method> <petid> <ws> <statusid> <size> [$__interval]))
The second query:
sum(count_over_time({environment=“PRO”, service=“OSB_ATM”} |~ \t([0-9]{1,}\.[0-9]{1,})\t | pattern <month> <day> <loki_hour> <server> <_>:<date> <time> <ip> <response_time> <method> <petid> <ws> <statusid> <size> | response_time >= 5 [$__interval]))
When I filter the time to 1 hour or less the result is consistent, that is; The first query always has to have more data than the second. The first query is global, and the second one only has the ones over 5.
But when I filter for more than three hours the result is not consistent. The second one has more results than the first one.
I’ve checked the query works correctly filtering in 15 minutes, and the data is OK. Why do the queries show this data for more time?
For 30 minutes:
For 1 hour:
For 3 hours and more these are the results:
Las 24 hours:
Is there something wrong with the query? Do I have to make the query differently?
Any idea about this behavior?
Regards