cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

why do matchesValue and matchesPhrase give different results in this case?

GerryIsHere
Participant

Here are two queries, I don't understand why the results are different (same time period 24 hours):

fetch logs
| filter matchesPhrase(host.name, "tar04*")
| summarize collectDistinct(host.name)

tar045.dcmax.local
tar046.dcmax.local

fetch logs
| filter matchesValue(host.name, "tar04*")
| summarize collectDistinct(host.name)

tar040.dcmax.local
tar041.dcmax.local
tar045.dcmax.local
tar046.dcmax.local

 

3 REPLIES 3

cesarsaravia
Dynatrace Mentor
Dynatrace Mentor

Hi @GerryIsHere 
The only difference between those functions are the validations that matchesPhrase realizes.

cesarsaravia_0-1710967005996.png

Tried to replicate your scenario with the same data, and in both cases the result is the same.

cesarsaravia_1-1710967134116.png

Could you get us more context?
Regards,

-César S. - LATAM Solutions Architect

the logs are from WebLogic servers, I think there is 1-2 million logs a day. If I run the queries just counting the number of logs matchesPhrase finds way fewer logs. The host.names are exactly as shown.

doesn't support mid-string wildcards, except some of the time when it does apparently!

Featured Posts