https://community.splunk.com/t5/Splunk-Search/Retrieving-unique-values-of-an-indexed-field/m-p/13380#M1225 <P>Actually, we were hoping that, because it is an indexed field, there is some kind of metadata or list that is persisted that we could access quickly, without running a search over all our events. I guess the simplest case would be source, sourcetype, or host - is there any quick way to find the list of all indexed hosts without going through stats or some other search? It seems like there must be, because the summary view displays those. We'd like to pull that type of summary information for any indexed field to get a list of all possible field values.</P> Thu, 13 May 2010 23:23:38 GMT esachs 2010-05-13T23:23:38Z https://community.splunk.com/t5/Splunk-Search/Retrieving-unique-values-of-an-indexed-field/m-p/13378#M1223 <P>Is there a quick way to retrieve the list of all unique values of an indexed field?</P> <P>I know I could search for the field and pipe to uniq, but hoping there might be something faster.</P> Thu, 13 May 2010 02:36:28 GMT https://community.splunk.com/t5/Splunk-Search/Retrieving-unique-values-of-an-indexed-field/m-p/13378#M1223 NancyCunningham 2010-05-13T02:36:28Z https://community.splunk.com/t5/Splunk-Search/Retrieving-unique-values-of-an-indexed-field/m-p/13379#M1224 <P>Absolutely. There's several ways to do this. Lets assume your field is called 'foo'. </P> <P>The most straightforward way is to use the <CODE>stats</CODE> command</P> <PRE><CODE>&lt;your search&gt; | stats count by foo </CODE></PRE> <P>Using stats opens up the door to collect other statistics by those unique values. For example: </P> <PRE><CODE>&lt;your search&gt; | stats count avg(duration) dc(username) by foo </CODE></PRE> <P>which will take the average of a field called <CODE>duration</CODE> and the distinct count of values of <CODE>username</CODE>, with each statistic being computed just for a given value of <CODE>foo</CODE></P> <P><A href="http://www.splunk.com/base/Documentation/latest/SearchReference/Stats" rel="nofollow">http://www.splunk.com/base/Documentation/latest/SearchReference/Stats</A></P> <P>Another way worth mentioning is to just use <CODE>top</CODE> </P> <PRE><CODE>&lt;your search&gt; | top foo limit=10000 </CODE></PRE> Thu, 13 May 2010 03:08:37 GMT https://community.splunk.com/t5/Splunk-Search/Retrieving-unique-values-of-an-indexed-field/m-p/13379#M1224 sideview 2010-05-13T03:08:37Z https://community.splunk.com/t5/Splunk-Search/Retrieving-unique-values-of-an-indexed-field/m-p/13380#M1225 <P>Actually, we were hoping that, because it is an indexed field, there is some kind of metadata or list that is persisted that we could access quickly, without running a search over all our events. I guess the simplest case would be source, sourcetype, or host - is there any quick way to find the list of all indexed hosts without going through stats or some other search? It seems like there must be, because the summary view displays those. We'd like to pull that type of summary information for any indexed field to get a list of all possible field values.</P> Thu, 13 May 2010 23:23:38 GMT https://community.splunk.com/t5/Splunk-Search/Retrieving-unique-values-of-an-indexed-field/m-p/13380#M1225 esachs 2010-05-13T23:23:38Z https://community.splunk.com/t5/Splunk-Search/Retrieving-unique-values-of-an-indexed-field/m-p/13381#M1226 <P>can you add this as a comment to Nick's answer, and not as a new answer?</P> Sat, 15 May 2010 02:30:30 GMT https://community.splunk.com/t5/Splunk-Search/Retrieving-unique-values-of-an-indexed-field/m-p/13381#M1226 piebob 2010-05-15T02:30:30Z https://community.splunk.com/t5/Splunk-Search/Retrieving-unique-values-of-an-indexed-field/m-p/13382#M1227 <P>For some reason, I don't see an "add comment" field on Nick's answer. Is there some other way to do that?</P> Tue, 18 May 2010 22:28:32 GMT https://community.splunk.com/t5/Splunk-Search/Retrieving-unique-values-of-an-indexed-field/m-p/13382#M1227 esachs 2010-05-18T22:28:32Z https://community.splunk.com/t5/Splunk-Search/Retrieving-unique-values-of-an-indexed-field/m-p/13383#M1228 <P>For <CODE>host</CODE>, <CODE>source</CODE>, and <CODE>sourcetype</CODE> specifically, you can use the <CODE>|metadata</CODE> search command.</P> Mon, 31 May 2010 20:27:53 GMT https://community.splunk.com/t5/Splunk-Search/Retrieving-unique-values-of-an-indexed-field/m-p/13383#M1228 gkanapathy 2010-05-31T20:27:53Z https://community.splunk.com/t5/Splunk-Search/Retrieving-unique-values-of-an-indexed-field/m-p/13384#M1229 <P>For <CODE>host</CODE>, <CODE>source, and</CODE>sourcetype<CODE>specifically, you can use the</CODE>| metadata` search command, which can certainly be much faster. If you need this a lot, run a scheduled search that runs over recent data and updates a lookup table (...| append [ inputlookup mytable ] | dedup myfield1, myfield2 | outputlookup mytable), i.e., basically you generate and maintain the metadata yourself periodically.</P> Mon, 31 May 2010 20:30:32 GMT https://community.splunk.com/t5/Splunk-Search/Retrieving-unique-values-of-an-indexed-field/m-p/13384#M1229 gkanapathy 2010-05-31T20:30:32Z https://community.splunk.com/t5/Splunk-Search/Retrieving-unique-values-of-an-indexed-field/m-p/13385#M1230 <PRE><CODE>|tstats values(&lt;indexed__field_name&gt;) where index=&lt;index_name&gt; </CODE></PRE> <P>will totally avoid going over any events. It gets its answer from looking at metadata in .tsidx files, so no perf hit for scanning events. Orders of magnitude faster than piping a search to stats.</P> Wed, 18 Sep 2019 19:17:00 GMT https://community.splunk.com/t5/Splunk-Search/Retrieving-unique-values-of-an-indexed-field/m-p/13385#M1230 ghendrey_splunk 2019-09-18T19:17:00Z