Hi,
I can't grasp the concept of dedup_splitvals. I was writing search for a pie chart on my dashboard, something like this:
index=* ... | stats count by field1, field2, field3
It returns a table, let's say it looks like this:
| field1 | field2 | field3 | count |
| a | b | | 8 |
| a | c | | 4 |
| | | d | 150 |
| | | e | 25 |
When I click on first row, I see only 2 events, while the count in stats says 8. This was driving me crazy for hours.
I've stumbled upon dedup_splitvals in documentation and decided to add it to my stats command:
index=* ... | stats count by field1, field2, field3 dedup_splitvals=true
And it worked like a charm! Counts in the table are now equal to the number of events in the search. But I still don't understand what's going on.
Documentation says:
Syntax: dedup_splitvals=<boolean>
Description: Specifies whether to remove duplicate values in multivalued BY clause fields.
What does this mean? What kind of duplicate values? Can anyone explain this?
