Top results of Cross-Engine investigations
Overview
Investigations that return a specified number of top objects, which are ordered according to a particular criterion, may yield surprising results when targeting multiple Engines simultaneously.
Learn how these top investigations are executed in Cross-Engine contexts to avoid misunderstandings.
Individual execution of top investigations
When targeting multiple Engines, a top investigation executes first on each Engine individually and then aggregates the results. For instance, suppose that you are looking for the top 4 domains ordered by the highest number of visiting devices across two Engines.
| Engine 1 | Engine 2 | ||
|---|---|---|---|
Domain | Number of Devices | Domain | Number of Devices |
300 | 350 | ||
200 | 150 | ||
150 | 50 | ||
50 | 40 |
The Cross-Engine investigation returns the total number of devices by adding the results in both Engines.
| Domain | Number of Devices |
|---|---|
650 | |
300 | |
250 | |
90 |
Aggregation of different top results
However, imagine that you repeat the same investigation, but you only ask for the top 2 domains with the highest number of visiting devices. In this case, the individual execution on each Engine returns a different list of domains:
| Engine 1 | Engine 2 | ||
|---|---|---|---|
Domain | Number of Devices | Domain | Number of Devices |
300 | 350 | ||
200 | 150 |
Results beyond the second domain are lost. Thus, the aggregation of results ignores anything after the second position and the Cross-Engine investigation returns the following:
| Domain | Number of Devices |
|---|---|
650 | |
200 |
While we might expect to find the domain www.nexthink.com in the second place with 300 devices, as in the previous top 4 investigation, we see instead that doc.nexthink.com takes the second place with 200 devices because the aggregation is ignoring the values beyond the second place in both Engines. Keep in mind this behavior when writing Cross-Engine top investigations whose aggregates are added up.
RELATED TASKS
Last updated