I have 20K hosts that I am trying to validate logging in Log Insight. On Friday, I ran a query in version 4.3 of Log Insight for "unique count of hostname as a single value" for the time period 2017-11-14 00:00:00.000 to 2017-12-14 15:54:16.053. The count was 8627. I run this same query today for the same time period and see a value of 7650. On both runs, I see a small alert triangle noting "Results may be inaccurate because some groups have too many distinct values."
Is this the root cause of the reported differences? No data has aged out of the cluster during this time period (per the email notifications that I would receive on dast aging).
Hi,
I am reposting this question internally to reach a broader audience to get this answered
Bucket archiving (if archiving is enabled) or bucket retirement could be the reason why you are seeing different results.
Are you seeing the same behavior?
Thank you very much for the follow-up. Yes, I am unfortunately seeing the same thing. I ran the same query today, and I see 7909 results. My best guess at this point is the orange triangle sign with an exclamation point that quotes "results may be inaccurate because some groups have too many distinct values". This "message" is the only common item on each search.
I don't believe the issue is an aging out of buckets, but I will test by setting the General Configuration > Alerts > Email System Notifications To "my email", and I will set the "send a notification when capacity drops below 45 days of data in the system."
The setting of Configuration > Archiving option isn't activated. The cluster is set to "large" with 12 members per the installation documentation. The cluster was a new OVA deployment completed on November 9th or 10th. Each node in the system is showing about 330GB of 3.7TB total disk used.
Thank you!
One more question : have you considered upgrading to 4.5? You mentioned that your LI is 4.3, right ?
An upgrade to 4.5 will occur in version 4.5, but this will not occur until mid-late January.