Why do I see a discrepancy in the summary of my Panther data when viewed in Search vs Data Explorer?
Data Explorer:
I am after the results we get when running a SELECT count (DISTINCT <field>)
statement.
Search GUI:
When viewing the same data in Search, same time window, I see the same surge of data ingest, I then attempt to summarize by Column and the items I see are not correct.
The Search feature currently limits the length of the summary. This view is designed to provide the top or bottom N results and facilitate quick pivots. If you need to view ALL
the results, the recommended approach is to use a SQL
query in the Data Explorer and review this output.