Subquery affecting the number of record parsed in the main query

Follow

Carl Saldanha

• October 09, 2020 16:20
• Edited

 

 

 

[subquery:
_source=core_reactor
| parse field=_collector "*.x-cloud.com" as instance
| parse "|| localized :> *\n" as status
| count_distinct (instance) as localized_status by instance
| save /a
| compose instance keywords]
_source="ngnix"
| count_distinct (_collector) as localized_status by _collector

 

 

I gather 2,338,485 results

 

 

But when I run 

 

_source="ngnix"
| count_distinct (_collector) as localized_status by _collector

I gather 13,932,768 results.

 

Why is there a difference if the queries are identical apart from the subquery that is not used

 

0

• 

  Harinder Bhandari

  • October 20, 2020 20:55

  Hi Carl,

  When you run the query within the subquery it generates output as follows using values of the instance field (instancekeyword1 OR instancekeyword2 or instancekeyword3 or instancekeyword4 ……) now that creates the parent query as follows:

  
  (instancekeyword1 OR instancekeyword2 or instancekeyword3 or instancekeyword4 ……) _source="ngnix"
  | count_distinct (_collector) as localized_status by _collector

  Because these keywords restrict the results as it ANDed with _source="nginx", You are going to get fewer results than 13,932,768.

  Hope this helps.

  Thanks.

   

  0

  Comment actions Permalink

Please sign in to leave a comment.