Nagios Support Forum

Hello,

I don't quite understand the Union in TopN query. To try understand, I made three histrograms, which list top 5 severity labels from the syslog from my Nagios XI server, see attached image.

Could someone please explain me in normal English what the difference is between OR, AND and none 'Union'? As you can see the results are very different.. The first histogram is OR, the second AND and the third 'none'.

Thanks!

I would have to look into this, to be honest. I could tell you the logical difference between AND and OR, but how that applies to this particular panel I am not certain.

If any developers wanna hop in and explain we're all ears.

Well I know the logic of 'AND' and 'OR' but I have no idea how this translates in the difference in graphs in this situation. As I only look for TopN for types of syslog messages Ti compares what exactly? And what does the none mean. The explanation in the 'about' does not really make things more clear for me.

Alright, here's how Scott explained it to me. This may not make a ton of sense but here goes:

Let's say you pick Top 10. From now on any query made with the Top 10 applied will only return, of course, the top 10 matched fields. So if you select "source IP" then only the results from the top 10 source IPs will be listed.

You also have a query. So let's say you query for "404" against the top 10 source IPs. "AND" will return the results that are in the top 10 AND have 404 in them. "OR" will return the results that are either in the top 10 OR have a 404 in them. I believe "none" is similar to a NOR, in that results will only be returned if they are NOT in the top 10 and do NOT have 404 in them.

This could be 100% wrong but this is how I understand it. Someone please correct me if I have just spewed garbage upon this fine forum.

Hmmm,

I'm trying to understand it and your explanation does make sense.

Tried to make some examples, but my examples were giving strange results. I would say let's put this thread on pause for a while. Maybe I find the time later to do some more tests to confirm this Union thing.

Grtz

Willem

I'll definitely let you know if we can come up with a more visual way to demonstrate this.