When I look at HOWTO61052, "Differential Sampling Summary by Department Report" (http://www.symantec.com/docs/HOWTO61052), I read that this report's data depends on the use of the Guaranteed Sampling Search and Random Sampling to capture messages for review.

We have 2 modes of Random Sampling (also called Random Capture).  The default mode is Guaranteed Sampling.  The alternate mode is Statistical Sampling.  Both of these sampling modes require the Journal Connector (JC) to be installed and properly configured to process journal archiving messages.  The JC looks at every message that is in the journal mailbox just before each message is sent to the archiving process.

Guaranteed Sampling causes the JC to tag items with the appropriate Department Tag for each Department to which the message author and / or recipient(s) belong.  The JC then passes certain information for each message to the CA Customer database in an XML file that contains up to 10,000 messages (this is a configurable number).  Guaranteed Sampling guarantees at least 1 item for each Monitored Employee will be in the review set, even if a Monitored Employee only sent or received 1 message during the previous day - all depending on the sampling percentages not being set to 0 and if the Monitored Employee is not suspended from sampling.

Statistical Sampling causes the JC to do the same Department Tag processing, but also causes it to randomly pick the messages to be sampled.  Only those messages the JC picks to be sampled will be added to the XML file that is passed to the CA Customer database.  Statistical Sampling does not guarantee that all Monitored Employees will have items to be reviewed.  For example, if a Monitored Employee only sent or received 1 message during the previous day AND the sampling percentages for inbound or outbound messages is 10%, then 10% of 1 is too small of a number for Statistical Sampling to consider sufficient, so that one item would not be included in the review set and that Monitored Employee would not have anything to be reviewed.

When the Random Sampling processing runs, which is 1:00 AM CA server time by default, items are moved from holding tables in the the database and put into the individual Department review sets.  If Statistical Sampling is the chosen mode, then all items that have been passed to the database during the previous day will be put into the review sets.  If Guaranteed Sampling is the chosen (default) mode, then all items in the holding tables will be parsed and a random set of messages will be chosen in the amounts needed to satisy the sampling percentages required for each Department and Monitored Employee.

In reviewing your "Employee Journaled Message Stats Summary - Example.pdf" file, I see where you may be confused.  Your screen shot is pointing to the Direction facet where it shows 153 for External Outbound messages, the Capture Method of Search with 154 items AND having the Author of Employee 1.  What we can't see is if the searches used to capture the 153 external outbound messages ran against archives other than just the journal archive.  From what we see, this report is only showing items captured by the Policy Engine, Random Sampling and Guaranteed Sampling Search processing, not through scheduled or immediate search processing.

In reviewing your "Differential Sampling Summary - Example2.pdf" file, I see where this report only includes items that were captured by the Policy Engine (0 items), Guaranteed Sample Searches (0 items) and Random Sampled items (28 items) out of a total of 958 items for Employee 1.  This report does not include any items captured by any scheduled or immediate searches.

As the numbers in the "Employee Journaled Message Stats Summary - Example.pdf" file and the "Differential Sampling Summary - Example2.pdf" file match, I believe both reports only show information on items captured by the Policy Engine, Random Sampling and Guaranteed Sampling processing - not through any scheduled or immediate searches.