A query that uses the returned (single) value of a subquery is returning different results than if I simply type in the value as a hard coded string.
**Query 1:**
index=cfs_* "aeb78KaLh7VIphSVg9FSIxl46y4="
Returns:
- events = 1535
- hosts = 5
- source = 19
- sourcetype = 14
**Query 2:**
index=cfs_* [search index=cfs_* "662704824FF6C21E" | top limit=1 sessionId | fields + sessionId]
Returns:
- events = 1331
- hosts = 2
- source = 10
- sourcetypes = 6
with "[search index=cfs_* "662704824FF6C21E" | top limit=1 sessionId | fields + sessionId]" returning: *aeb78KaLh7VIphSVg9FSIxl46y4=* when run by itself.
Why these two different result sets simply because the value returned in Option 2 is from a query vs. a hard coded value?
↧
Why does the query using an absolute value return better results than the query using a subsearch?
↧