I know there is a syntax difference between:
sourcetype=blah | chart count over foo by bar
and
sourcetype=blah | chart count by foo, bar
But what's the difference, if any?
Comparing the performance and request sections of the job inspection for those queries reveals a difference of a couple milliseconds on a sample dataset.
Are they actually different under the hood or is "over X by Y" just another way of saying "by X, Y"?
On a related note, where is the best place to look to see what a job is actually doing?
Update: added the count keyword in the search - miscopied that.
... View more