Hello,
I have observed that the "top" command seems to calculate wrong percentage values if used on a multivalue field, i.e. a field which may contain multiple values. Example: If I run the following search:
| makeresults
| eval test="multivalue1,multivalue2|singlevalue"
| eval test = split(test, "|")
| mvexpand test
| eval test = split(test, ",")
| top test
I get the following result:
| test | count | percent |
| singlevalue | 1 | 50.000000 |
| multivalue2 | 1 | 50.000000 |
| multivalue1 | 1 | 50.000000 |
Which seems wrong, because the sum of the "percent" values is 150%. It seems like Splunk's "top" command expands the input search, which consists of 2 entries, to 3 entries, which it outputs. But the percentages are being calculated using the original 2 entries, i.e. somehow like <count> / <number of input search entries>, the latter being 2 here.
Shouldn't the percentages rather be calculated as <count> / <number of expanded search entries>, the latter being the correct 3 here?
If I modify the test query so it expands the multivalue fields before the top command, the result is as expected:
| makeresults
| eval test="multivalue1,multivalue2|singlevalue"
| eval test = split(test, "|")
| mvexpand test
| eval test = split(test, ",")
| mvexpand test
| top test
| test | count | percent |
| singlevalue | 1 | 33.333333 |
| multivalue2 | 1 | 33.333333 |
| multivalue1 | 1 | 33.333333 |
My question: Is this a bug or a feature? If the former: Should I report it?
