Top results of Cross-Engine investigations

Overview

Investigations that return a specified number of top objects, which are ordered according to a particular criterion, may yield surprising results when targeting multiple Engines simultaneously.

Learn how these top investigations are executed in Cross-Engine contexts to avoid misunderstandings.

Individual execution of top investigations

When targeting multiple Engines, a top investigation executes first on each Engine individually and then aggregates the results. For instance, suppose that you are looking for the top 4 domains ordered by the highest number of visiting devices across two Engines.

The Cross-Engine investigation returns the total number of devices by adding the results in both Engines.

Aggregation of different top results

However, imagine that you repeat the same investigation, but you only ask for the top 2 domains with the highest number of visiting devices. In this case, the individual execution on each Engine returns a different list of domains:

Results beyond the second domain are lost. Thus, the aggregation of results ignores anything after the second position and the Cross-Engine investigation returns the following:

While we might expect to find the domain www.nexthink.com in the second place with 300 devices, as in the previous top 4 investigation, we see instead that docs-v6.nexthink.com takes the second place with 200 devices because the aggregation is ignoring the values beyond the second place in both Engines. Keep in mind this behavior when writing Cross-Engine top investigations whose aggregates are added up.

RELATED TASKS

• Editing the options of an investigation

• Enabling Cross-Engine Finder features