Dear Support,

I understand the function of group by here, but not groupby+distinct.
Could you please explain what does this means?

196
say 1min 50counts

My guesses are:
a) It groups things by TenantName, SourceIP, ObserverIP, fire if there
are 50 distinct TargetPorts OR 50 distinct TargetIPs (either one)
b) It groups things by TenantName, SourceIP, ObserverIP, fire if there
are 50 distinct TargetPorts for all 50 distinct TargetIPs (each distinct
ip with 50 ports or each distinct port with 50 ip, total 50ip x 50port =
2500 hits)

Regards,
Jack


+----------------------------------------------------------------------+
|Filename: distincy.PNG |
|Download: https://forums.netiq.com/attachment....tachmentid=196 |
+----------------------------------------------------------------------+

--
jackcheng
------------------------------------------------------------------------
jackcheng's Profile: https://forums.netiq.com/member.php?userid=1387
View this thread: https://forums.netiq.com/showthread.php?t=51859