Deployment GuideiConsole Standard Searches, Reports and PoliciesDashboard Data Aggregation › Event Totals Can Appear Incorrect when Drilling into Snapshot Data

Previous Topic: Manually Schedule Aggregation Jobs for SQL Server Express

Next Topic: Report Customizations

Event Totals Can Appear Incorrect when Drilling into Snapshot Data

In certain conditions, if a reviewer drills down into a chart to see the underlying events, the number of results does not match the event total shown in the chart. This apparent disparity can occur if further events have been captured or reviewed in the intervening period since the snapshot totals were last calculated.

Snapshot totals are recalculated each time a data aggregation job runs. By default, aggregation jobs run every hour. Consequently, snapshots (such as 'total unreviewed events') reflect the total number of events at the specific time when the aggregation job ran.

If the actual event counts rise or fall before the next aggregation job runs (for example, a manager reviews some previously unreviewed events), then the snapshot total shown in the dashboard will no longer tally with the actual number of underlying events in the CMS database. If a reviewer were to drill down into the dashboard at this point, they would see an apparent disparity in the number of events.

Example

Consider this timeline:

15.00 PM

An aggregation job runs and finds 100 unreviewed events.

15.15 PM

A manager refreshes their dashboard; the snapshot total for Unreviewed Events is 100.

15.16 PM

The same manager drills down into the dashboard to see the underlying events. The Search Results screen does indeed find 100 unreviewed events.

15.30 PM

A reviewer audits 25 of the unreviewed events in the iConsole.

15.45 PM

The manager refreshes their dashboard; the snapshot total for Unreviewed Events is still 100. This is because there has been no new aggregation job since 15.00.

15.46 PM

The manager drills down into the dashboard again. But this time, the Search Results screen only finds 75 unreviewed events!

16.00 PM

The next aggregation job runs and finds 75 unreviewed events. The snapshot total and number of underlying events are back in sync.

Note: Such potential disparities only affect snapshots of event counts based on audit status. They cannot occur with snapshots based on non-changing event attributes such as events counts by policy.