There is an issue in the "application_group over time" graph. Right before it finalizes you can see a graph that makes sense and then it just drops off with a strange spike. The sessions also sometimes show up as “0” after it moves to a finished status. This seems to happen for any larger search and sometimes for short (15 minute) searches.

Security Analytics 8.3.1

A new feature in version 8.3.1 is what is called overlap or in-flight sessions.  In 8.2.8, reports only showed sessions that started within the selected time range.  In 8.3.1, reports show all active sessions during the time range.  Any session that starts, is active, or ends within the time range will appear.

This change can have a side effect.  Reports may include sessions that start or end far outside the selected time span, producing small "heads" or "tails" in the data.  On the "over time" graph, this effect is more noticeable.

The graph must account for all active data. If the selected time range contains a lot of data in the selected span but a few very long-lived sessions exist, the graph may appear lopsided.  This happens because the graph adds overlap sessions last. Initially, the graph looks normal, then the "in-flight" sessions are added on the final redraw.

While these sessions don't show as zero numerically, the difference in scale (e.g., 1 million vs. 1) can make the smaller values appear as basically zero.  You should be able to hover over the graph and see that they are non-zero.  There might be ways you can attempt to filter them out (such as duration, or filter out the IP's or application_groups that are causing the long running sessions).