![]() ![]() I wouldn't worry about the number of records scanned, if they both got identical results, but I'd make sure the time frames and output results were identical before assuming the code was working apples-to-apples. All other duplicates are removed from the results. The purpose of this is to eventually get alerts on when the total 'host' changes so I can tell when something that makes up and index stops working. If you do not specify a number, only the first occurring event is kept. I am trying to find all the 'host' that make up an index and get a total count of unique values. Check the results against each other and make sure they came out identical. Description: The dedup command retains multiple events for each combination when you specify N. (50k?)įootnote 2 - use at the end of your earliest and latest to make sure the two timelines are exactly the same. It is a transforming command which has a natural limit on how many results it will allow. Then do whatever makes sense.įootnote: Be careful of table. You can also get the most recent value of a particular field using the 'first' function in stats. For overall throughput, slightly more CPU time but all of it on the indexers is far better than slightly less CPU time all on the search head. The time the search was executed will be in the infosearchtime field. dataset () The function syntax returns all of the fields in the events that match your search criteria. ![]() There are three supported syntaxes for the dataset () function: Syntax. When grouped by your Country field, youll have the number of distinct IPs from that given country. span1h time stats dc(reqtime) as dc by time stats avg(dc) This tells us that each hour there areanaverageof 3,367 unique values of reqtime. You can use this function in the SELECT clause in the from command and with the stats command. The dc () stats command means 'distinct count'. They are close enough in overall performance that you can go either way and no one will say "Boo" bout it.Ĭheck the details of the run and see how much of that time is on the indexers and how much on the search head. stats sparkline (count), dc (srcip) by Country. So, given your results, it looks like the results are in alignment with my expectations - dedup is slightly less efficient, as expected, but only slightly so. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |