Can anyone identify the difference in the maximum result when using different over values in the match?
Example: I search the last hour of logs by log_type:
events: $event.metadata.event_timestamp.seconds > timestamp.current_seconds() - 3600 $silent_hostname = $event.metadata.log_type
And in the match I insert:
match: $silent_hostname over 30 min
This shows me 2 groups of logs:
Group A (the first 30 minutes) and Group B (the last 30 minutes).
With the following outcome, to show me the max timestamp of each group:
outcome: $max_event_time = max($event.metadata.event_timestamp.seconds)
I get 2 results, each with the max timestamp for its group.
However, if I change the over value to 1 hour, it is supposed to return only one result, with the max timestamp equal to the max timestamp from Group B. But this does not happen. Instead, I get only one result, but the max timestamp is much lower than the max from Group B and slightly higher than the max from Group A.
