I notice that sometimes eventstats loads more data than the event results produce.
For example lets say I have a search on field id that produces 5 results which I then pass to eventstats.
id=1 | eventstats count(id)
The job inspector says my eventstats input is - and output is 5.
Duration (seconds) Component Invocations Input count Output coun
0.001 command.eventstats 1 - 5
0.005 command.fields 7 10 10
When I do the search on a field id that produces 233 results which I then pass to evenstats count
id=2 | eventstats count(id)
The job inspector says that the input count has received 100,000+ results.
Duration Component Invocations Input count Output count
0.013 command.eventstats 1 100,000 100,022
0.006 command.fields 11 233 233
The 100,000 eventstats hits the limit defined in limits.conf and eventstats is not applied to all the results. I am wondering why for the search on a field that has 5 results the eventstats Input Count is blank (-) but for the 233 results the Input Count is 100,000 .
Thanks