topic Re: How do I obtain counts of search results fields within a head command eval-expression? in Splunk Search

How do I obtain counts of search results fields within a head command eval-expression?

williamcharlton — Tue, 29 Sep 2020 23:30:12 GMT

I have an index with events in it that, among others, have the fields shown at the bottom of this post

When I execute index = myindex="widget_a" | streamstats dc(chunk), the results include 9 events as expected. The chunk field is in the search results with 3 values (widget_a_chunk_a, widget_a_chunk_b, and widget_a_chunk_c) as expected. My goal is to extend the query such that the search results includes only N events, where N is the number of unique chunk values evaluated at the time the search is run.

Something like: index = myindex="widget_a" | streamstats dc(chunk) | head (number_of_search_results_returned < number_of_chunk_values_returned.

I've tried index = myindex="widget_a" | streamstats dc(chunk) | head (stats count(_time) < stats count(chunk)), but the search job fails.

What is the syntax for obtaining counts of search result fields within a head command eval-expression, so I can compare them in the head command eval-expression and thus limit the number of events returned?

_time...........................chunk...............widget
2019-02-28T03:10:02.000-0500    widget_a_chunk_c    widget_a
2019-02-28T03:10:01.000-0500    widget_a_chunk_b    widget_a
2019-02-28T03:10:00.000-0500    widget_a_chunk_a    widget_a
2019-02-28T03:05:02.000-0500    widget_a_chunk_c    widget_a
2019-02-28T03:05:01.000-0500    widget_a_chunk_b    widget_a
2019-02-28T03:05:00.000-0500    widget_a_chunk_a    widget_a
2019-02-27T01:15:02.000-0500    widget_a_chunk_c    widget_a
2019-02-27T01:15:01.000-0500    widget_a_chunk_b    widget_a
2019-02-27T01:15:00.000-0500    widget_a_chunk_a    widget_a

Re: How do I obtain counts of search results fields within a head command eval-expression?

jbjerke_splunk — Tue, 29 Sep 2020 23:30:15 GMT

I think you need to do something like this

index = myindex="widget_a"
| eventstats dc(chunk) as number_of_chunk_values_returned
| streamstats count
| where count

Re: How do I obtain counts of search results fields within a head command eval-expression?

williamcharlton — Wed, 06 Mar 2019 17:12:38 GMT

@jbjerke_splunk

| eventstats dc(chunk) as number_of_chunk_values_returned - this part yields 3 as expected

| streamstats count - this part yields 9 - ???

| where count - this part causes the search job to fail

May I ask what your thinking behind your approach is? I assume you believe I don't need the head command?

Re: How do I obtain counts of search results fields within a head command eval-expression?

jbjerke_splunk — Tue, 29 Sep 2020 23:30:21 GMT

Sorry there was a typo in the first search

index = myindex="widget_a"
| eventstats dc(chunk) as number_of_chunk_values_returned
| streamstats count
| where count

Re: How do I obtain counts of search results fields within a head command eval-expression?

jbjerke_splunk — Wed, 06 Mar 2019 17:57:08 GMT

Ok so, the searches are being stripped from answer.

index = myindex="widget_a" 
| eventstats dc(chunk) as number_of_chunk_values_returned
| streamstats count
| where count<number_of_chunk_values_returned

The streamstats command creates a rowcount that you can use to filter with the where command. You cannot have dynamic values in the head command so it would not be helpful in this instance.

Re: How do I obtain counts of search results fields within a head command eval-expression?

cvssravan — Wed, 06 Mar 2019 18:36:50 GMT

@williamcharlton0028
Looking at your statement: My goal is to extend the query such that the search results includes only N events where N is the number of unique chunk values evaluated at the time the search is run.
For obtaining unique values, dedup didn't worked for you?
To my understanding you should try something like this
index=myindex widget="widget_a" | dedup chunk