Simple searches that return different restults based on where the dedup is. Seems like ti functuioning 2 different ways:
index=dev_tsv md_type="assets" info_owner_orgID="Test" related_vendors="*gibberish*" info_tags="<tagname>"
| dedup id
| stats count by id
But this one returns a different result set than the one above
index=dev_tsv md_type="assets" info_owner_orgID="Test" related_vendors="*gibberish*"
|dedup id
| search info_tags="<tagname>"
| stats count by id
Any thoughts would be helpful.
Thanks as always!
First search:
(Info_tags = "<tagname>"
) only logs are extracted.
Next search:
Logs that are not (info_tags = "<tagname>"
) are also extracted.
The next dedup may delete the log with (info_tags = "<tagname>"
) and leave a log without (info_tags = "<tagname>")
.
I think that there is a difference in the number of cases due to the above difference.
First search:
(Info_tags = "<tagname>"
) only logs are extracted.
Next search:
Logs that are not (info_tags = "<tagname>"
) are also extracted.
The next dedup may delete the log with (info_tags = "<tagname>"
) and leave a log without (info_tags = "<tagname>")
.
I think that there is a difference in the number of cases due to the above difference.
This I understand BUT I would think the first search would be a smaller result but its not, it returns 146 results the second search only returns 94.
The first search returns results from 2 times on the same day 52 at 12AM and 94 at 3PM BUT the second only returns one set, 94 at 3PM
It appears the first search is just ensuring there are no duplicate ids for the ones with info_tags, in the second its its ensuring we only get the most recent ids with info_tags.
Why would it function 2 different ways?
The number of second searches to be deleted by dedup decreases.
search1
ID=1,info_tags=B
ID=2,info_tags=B
ID=3,info_tags=B
search2
ID=1,info_tags=A
ID=1,info_tags=B
ID=2,info_tags=B
ID=2,info_tags=C
ID=3,info_tags=B
ID=3,info_tags=D
↓ dedup
ID=1,info_tags=A
ID=2,info_tags=B
ID=3,info_tags=B
↓ search info_tags=B
ID=2,info_tags=B
ID=3,info_tags=B
OK I can see now what you mean, since its taking the most recent record and deduping BEFORE getting the info_tag its reduces the overall count. That makes sense.
Thanks for that