topic Re: eventstats into multi-value list limit of max values in Splunk Search

eventstats into multi-value list limit of max values

wfskmoney — Thu, 13 Jun 2019 11:00:13 GMT

Is there a limit of max values in a multi-value field listSummary for

| eventstats list(variable) as listSummary by <group>

Re: eventstats into multi-value list limit of max values

kamlesh_vaghela — Thu, 13 Jun 2019 12:34:57 GMT

@wfskmoney
This can help you.
https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Multivaluefunctions#Description

Re: eventstats into multi-value list limit of max values

jnudell_2 — Thu, 13 Jun 2019 14:13:11 GMT

Hi @wfskmoney ,
As per the document reference by @kamlesh_vaghela (https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Multivaluefunctions#Description), the list(X) command has a limit of 100 values returned.

Re: eventstats into multi-value list limit of max values

wfskmoney — Fri, 14 Jun 2019 11:24:22 GMT

yet I noticed that my frequency summaries are accurate even after using lists on aggregated results with more than 100. Does this mean that Splunk in memory still processes all events, just doesnt display them in a table? In my case use mvdedup at the end.

| table contractId amountInCHFCat
| eventstats count as HTamountCounts by contractId amountInCHFCat | eventstats list(amountInCHFCat) as amountLabels, list(HTamountCounts) as HTamountCounts by contractId | eval HTamountCounts=mvzip(amountLabels,HTamountCounts,"|")
| eval amountLabels = mvdedup(amountLabels)
| eval HTamountCounts = mvdedup(HTamountCounts)

Re: eventstats into multi-value list limit of max values

wfskmoney — Fri, 14 Jun 2019 11:26:38 GMT

however I realized that my frequency counts are correct even after using list aggregation on more than 100 values. Could it be that Splunk in memory processes all the records, just doesnt display them in table in an MV field? I use mvdedup at the end.

    | table contractId amountInCHFCat
    | eventstats count as HTamountCounts by contractId amountInCHFCat | eventstats list(amountInCHFCat) as amountLabels, list(HTamountCounts) as HTamountCounts by contractId | eval HTamountCounts=mvzip(amountLabels,HTamountCounts,"|")
    | eval amountLabels = mvdedup(amountLabels)
    | eval HTamountCounts = mvdedup(HTamountCounts)

Re: eventstats into multi-value list limit of max values

jnudell_2 — Fri, 14 Jun 2019 12:53:41 GMT

Hi @wfskmoney ,
You're better off using values instead of list and dedup if you want unique values of amountInCHFCat.

| table contractId amountInCHFCat

| eventstats count as HTamountCounts by contractId amountInCHFCat 

| eventstats values(amountInCHFCat) as amountLabels, values(HTamountCounts) as HTamountCounts by contractId 

| eval HTamountCounts=mvzip(amountLabels,HTamountCounts,"|")

| eval amountLabels = mvdedup(amountLabels)

| eval HTamountCounts = mvdedup(HTamountCounts)

Of course, you can use list in addition to values if your mvzip doesn't work the way you want it to after that.
In regards to your other observation, 100 might be the visible display limit, but the other limit in eventstats is memory based (the default is 200MB per search using eventstats). This is usually enough for most applications, but I have seen instances where the memory limit is reached (which you can see as a max_mem message in the search.log for the search job).

Re: eventstats into multi-value list limit of max values

wfskmoney — Tue, 25 Jun 2019 14:38:29 GMT

thanks, yes I figured in memory it should be fine. So it is possible to use list() if I dont table out