I am trying to use the Graph feature and it does not work in the way I expect. I have IIS logs indexed, and I used the logstash useragent plugin to parse the UA strings. I start with a new graph (in a 5.6.1 stack), and add ua_details.os_name and ua_details.name as sources for vertices. I set Max terms per hop to 2 on both and turn off Settings / significant links. When I do a query against * I get a pair of 4 node graphs. So far so good.
If I increase Max terms per hop to 12 for ua_details.name and do another search against * then now I get graphs where each OS is linked to several browsers, but no browser is linked to more than 2 OSes. This is also OK.
Now I decrease Max terms per hop back to 2. When I do another search the graph does not change. It does not go back to the graph I got for the original graph with both set to 2.
If I then try to add a search for, say, ua_details.name: "Chrome" the graph still does not change. Should it?
When I check the Settings / Last Request / Response after requesting ua_details.name: "Chrome" it has only four nodes (Chrome, Window 7, Windows 10, IE) and 9 connections , but the graph rendered still has all 20 nodes from the second graph.
I am expecting that a query ua_details.name: "Chrome" would cause it only to sample documents that match that query, but the fact that it gets an IE node back tells me that doesn't work the way I expect. What does it do?
