Subquery affecting the number of record parsed in the main query

Comments

1 comment

  • Avatar
    Harinder Bhandari

    Hi Carl,

    When you run the query within the subquery it generates output as follows using values of the instance field (instancekeyword1 OR instancekeyword2 or instancekeyword3 or instancekeyword4 ……) now that creates the parent query as follows:


    (instancekeyword1 OR instancekeyword2 or instancekeyword3 or instancekeyword4 ……) _source="ngnix"
    | count_distinct (_collector) as localized_status by _collector

    Because these keywords restrict the results as it ANDed with _source="nginx", You are going to get fewer results than 13,932,768.

    Hope this helps.

    Thanks.

     

    0
    Comment actions Permalink

Please sign in to leave a comment.