I have a search that compares an expanded multi value field against a lookup table and returns those events where at least one of the field values was not found. My thinking is: If a `singleColumns` value is not found, I'll have at least two events with a shared `_cd`value in my results, which I then `dedup` to ensure my counts are correct.
base search | eval UID = _cd | eval singleColumns=split(column_name, " ") | mvexpand
singleColumns | search NOT [|inputlookup Known_Bad_Columns | rename bad_columns as
singleColumns ] | dedup UID | stats count by field1, field2 | sort by count desc
I ran this against some known events (roughly 7 million prior to the expand) and some (not all) of my event counts were lower than expected. I then reran this search filtering to those specific event values (500 thousand prior to expand) and my counts came back correct. Can someone explain my loss of precision and possibly suggest a correction?
↧