https://community.splunk.com/t5/Splunk-Search/How-can-i-display-all-the-values-for-my-Field/m-p/60749#M180136 <P>When you say "one event has max 100 questions," do you mean that each event can have more than one question? Is Question a multi-valued field?</P> <P>Assuming that Question is <EM>not</EM> a multi-valued field, try</P> <PRE><CODE>myseach | stats count by Questions | sort -count </CODE></PRE> <P>This will give you a list of all Questions, whether there are 50 or 500...<BR /><BR /> You might want to take a look at some other possible stats functions, such as distinct_count, <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonStatsFunctions">here</A></P> Sat, 15 Sep 2012 20:47:16 GMT lguinn2 2012-09-15T20:47:16Z https://community.splunk.com/t5/Splunk-Search/How-can-i-display-all-the-values-for-my-Field/m-p/60747#M180134 <P>Hi..</P> <P>I have created a Field "Questions" in my Splunk Query.When i am using like this..</P> <P>*<EM>myseach | top Questions *</EM></P> <P>Its not displaying all the Questions in my event.ie one event has max 100 questions..But all of them were not displayed using the top Command ..</P> <P>Please help..</P> Sat, 15 Sep 2012 14:55:35 GMT https://community.splunk.com/t5/Splunk-Search/How-can-i-display-all-the-values-for-my-Field/m-p/60747#M180134 rakesh_498115 2012-09-15T14:55:35Z https://community.splunk.com/t5/Splunk-Search/How-can-i-display-all-the-values-for-my-Field/m-p/60748#M180135 <P>The default for the top command is 10 values. You can do either of the following to get the top 100.</P> <PRE><CODE>... | top 100 Questions or ... | top limit=100 Questions </CODE></PRE> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/top">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/top</A></P> Sat, 15 Sep 2012 16:32:54 GMT https://community.splunk.com/t5/Splunk-Search/How-can-i-display-all-the-values-for-my-Field/m-p/60748#M180135 sdaniels 2012-09-15T16:32:54Z https://community.splunk.com/t5/Splunk-Search/How-can-i-display-all-the-values-for-my-Field/m-p/60749#M180136 <P>When you say "one event has max 100 questions," do you mean that each event can have more than one question? Is Question a multi-valued field?</P> <P>Assuming that Question is <EM>not</EM> a multi-valued field, try</P> <PRE><CODE>myseach | stats count by Questions | sort -count </CODE></PRE> <P>This will give you a list of all Questions, whether there are 50 or 500...<BR /><BR /> You might want to take a look at some other possible stats functions, such as distinct_count, <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonStatsFunctions">here</A></P> Sat, 15 Sep 2012 20:47:16 GMT https://community.splunk.com/t5/Splunk-Search/How-can-i-display-all-the-values-for-my-Field/m-p/60749#M180136 lguinn2 2012-09-15T20:47:16Z https://community.splunk.com/t5/Splunk-Search/How-can-i-display-all-the-values-for-my-Field/m-p/60750#M180137 <P>not exactly this i need..actually in my event i had this <QUESTION>abc....etc</QUESTION> tag more then 100 times for each event.<BR /> When i created the rex expression like this..</P> <P>mysearch | rex field=_raw "<QUESTION>(?<QUESTION>[^&lt;]*)&lt;" | top Question</QUESTION></QUESTION></P> <P>i dnt think all the values are displayed for Question Field..even i use the limit followed by top command..</P> <P>is there any option like MAX_LENGTH with top to display all the values of Question Tag..</P> Sun, 16 Sep 2012 06:06:18 GMT https://community.splunk.com/t5/Splunk-Search/How-can-i-display-all-the-values-for-my-Field/m-p/60750#M180137 rakesh_498115 2012-09-16T06:06:18Z https://community.splunk.com/t5/Splunk-Search/How-can-i-display-all-the-values-for-my-Field/m-p/60751#M180138 <P>question is multivalued field only..</P> Sun, 16 Sep 2012 07:30:06 GMT https://community.splunk.com/t5/Splunk-Search/How-can-i-display-all-the-values-for-my-Field/m-p/60751#M180138 rakesh_498115 2012-09-16T07:30:06Z https://community.splunk.com/t5/Splunk-Search/How-can-i-display-all-the-values-for-my-Field/m-p/60752#M180139 <P>Okay, since Question is a <STRONG>multi-valued</STRONG> field, we need a way to "break out" all the values for question. The <CODE>mvexpand</CODE> command will do that. Also, by default the <CODE>rex</CODE> command will only extract the first occurrence of the regular expression unless you specify max_match.</P> <P>Try this:</P> <PRE><CODE>mysearch | rex field=_raw max_match=150 "&lt;question&gt;(?&lt;question&gt;.*?)\&lt;" | mvexpand question | top question </CODE></PRE> Mon, 17 Sep 2012 07:52:00 GMT https://community.splunk.com/t5/Splunk-Search/How-can-i-display-all-the-values-for-my-Field/m-p/60752#M180139 lguinn2 2012-09-17T07:52:00Z https://community.splunk.com/t5/Splunk-Search/How-can-i-display-all-the-values-for-my-Field/m-p/60753#M180140 <P>| top limit=0 Questions should do your work.</P> Tue, 31 Jan 2017 04:35:25 GMT https://community.splunk.com/t5/Splunk-Search/How-can-i-display-all-the-values-for-my-Field/m-p/60753#M180140 thirumalreddyb 2017-01-31T04:35:25Z