Viewing coalesced results
Viewing coalesced results can help you analyze the pattern underlying those results. Coalesced results can be viewed in context of a search.
When you view coalesced results, the product identifies search results containing similar data records and groups them together to display a list of grouped records. These records are sorted by count which means the most frequently occurring records are displayed on the top of the list. You can also sort the list of grouped records by the data pattern associated with the records.
Viewing coalesced results can help you analyze data in a more efficient way and take better decisions while troubleshooting issues.
Suppose while searching, you find 6,000 data records. Out of the 6,000 records, say 4,000 contain the same message, only the IP address varies. When you view coalesced results, you can see one message representing the 4,000 similar messages with the variable text indicated with ellipsis. This can help you identify the pattern in which your search results occur and help you uncover messages that otherwise might go unnoticed.
Use the following information to understand about viewing coalesced results and other functions available with this capability:
To view coalesced results
- Navigate to the Search tab and perform a search.
- On the top-left of the page, click the vertical three dots (indicating a menu) next to All Data and select Analyze Data.
The coalesced results are displayed in context of the search performed. You can also view anomalies by turning on the Anomalies setting. For more information, see Detecting-anomalies.
How coalesced results can be useful?
Coalesced results can be provide valuable insights into your data, as follows:
- Identify a pattern of the data produced for a particular search query in the given time range.
- Determine the noisiest and rarest kinds of data records (or events) important while troubleshooting issues.
- Find the most common and least common records that form the grouped results.
Understanding coalesced results
When you view coalesced results, the following information is available under the Coalesce tab:
Changing the coalescence factor for viewing coalesced data
By default, data is coalesced based on a coalescence factor of 70%. This means records are grouped based on at least 70% similarity (in other words, maximum 30% variation).
On the Coalesce tab, the slider on the top-right of the page can help you change the coalescence factor and view results differently based on the coalescence factor applied. The coalescence factor controls the amount by which the grouped records must vary.
As you move the slider from left to right, the variation used to group records becomes lesser and the similarity increases (as shown in the following figure). In other words, the grouped records contain individual records that are more similar. Therefore, when you move the slider towards the right, you can see more results as compared to moving the slider towards the left.
The coalescence factor can affect the results displayed in the following way:
Action | Variation | Similarity | Total number of results | |
|---|---|---|---|---|
Move the slider from left to right | → | Less | More | More |
Move the slider from right to left | ← | More | Less | Less |
Examples for understanding how data is coalesced
The following examples can help you understand how data is coalesced and displayed based on the coalescence factor applied.
- Example 1: Understanding how coalesced results are displayed if the coalescence factor is set at 70%
- Example 2: Understanding how coalesced results are displayed if the coalescence factor is set at 80%
- Example 3: Understanding how coalesced results displayed differ based on the coalescence factor
Example 1: Understanding how coalesced results are displayed if the coalescence factor is set at 70%
Suppose your data contains the following records:
Sample data records
If you set the coalescence factor to 70%, you can expect to see the following coalesced record:
Coalesced record (with coalescence factor set at 70%)
Example 2: Understanding how coalesced results are displayed if the coalescence factor is set at 80%
Suppose your data contains the following records:
Sample data records
If you set the coalescence factor to 80%, you can expect to see the following coalesced record:
Coalesced record (with coalescence factor set at 80%)
A [...] brown [...] jumps over the lazy black dog
Example 3: Understanding how coalesced results displayed differ based on the coalescence factor
- ===
Suppose your data contains the following records:
Sample data records
Scenario 1: Coalescence factor set at 70%
With the coalescence factor set to 70%, you can expect to see the following coalesced record.
The following coalesced record is expected to have a count of 4. This means the following coalesced record contains 4 messages that are 70% similar.
Note that in this scenario, if you change the coalescence factor to 60%, you can expect to see the same results.
Coalesced record (with coalescence factor set at 70%)
Scenario 2: Coalescence factor set at 80%
With the coalescence factor set to 80%, you can expect to see the following coalesced records.
The first coalesced record is expected to have a count of 3, while the next one is expected to have a count of 1. This means the first coalesced record contains 3 messages that are 80% similar.
Coalesced record (with coalescence factor set at 80%)
{{code language="none"}}
A [...] brown [...] jumps over the lazy [...] dog
{{/code}}
A quick brown fox jumps over the little white cat
{{/code}}
Scenario 3: Coalescence factor set at 90%
With the coalescence factor set to 90%, you can expect to see the following coalesced records.
The first coalesced record is expected to have a count of 2, while the second and the third ones are expected to have a count of 1. This means the first coalesced record contains 2 messages that are 90% similar.
Coalesced record (with coalescence factor set at 90%)
A quick brown fox jumps over the lazy [...] dog