https://community.splunk.com/t5/Splunk-Search/Unique-host-list-but-only-when-the-of-hosts-is-lt-some-To-be/m-p/572148#M199405 <P>Edited to specify what the question is.&nbsp; &nbsp;Yeah, the search can be optimized, will change that. thanks...</P> Sun, 24 Oct 2021 12:30:54 GMT sjringo 2021-10-24T12:30:54Z https://community.splunk.com/t5/Splunk-Search/Unique-host-list-but-only-when-the-of-hosts-is-lt-some-To-be/m-p/572145#M199403 <P><SPAN>index=anIndex sourcetype=aSourceType ("*Starting application:*" AND (host="aHostName*")) | stats values(host) AS ServerList</SPAN></P><P><SPAN>The above query gives me a list of distinct server names.&nbsp; What I am attempting to do is use this query for an alert and provide the list of server's but only when the # of servers in the distinct list returned in the above query is less than a specified #.</SPAN></P><P>I will be configuring the alert to trigger when the results are &gt; 0 since the trigger condition will be in the query and not the alert.</P><P>How do I modify the query above to only provide ServerList if the # of distinct servers in that list is &lt; 10 ?</P><P>&nbsp;</P> Sun, 24 Oct 2021 12:28:36 GMT https://community.splunk.com/t5/Splunk-Search/Unique-host-list-but-only-when-the-of-hosts-is-lt-some-To-be/m-p/572145#M199403 sjringo 2021-10-24T12:28:36Z https://community.splunk.com/t5/Splunk-Search/Unique-host-list-but-only-when-the-of-hosts-is-lt-some-To-be/m-p/572146#M199404 <P>Ok, but where's the question? What's your problem with that?</P><P>And remember that AND is implicit so you don't have to write (condA AND (condB)). Just do condA condB on their own. And avoid wildcard at the beginning of a search term - it will cause splunk to read all the events from given time range to find a match.&nbsp; Especially if your search term starts at the word boundary - there's no point of adding that wildcard at the beginning. Check for yourself - search for "Starting application:" and "*Starting application:" and compare execution time.</P> Sun, 24 Oct 2021 12:23:35 GMT https://community.splunk.com/t5/Splunk-Search/Unique-host-list-but-only-when-the-of-hosts-is-lt-some-To-be/m-p/572146#M199404 PickleRick 2021-10-24T12:23:35Z https://community.splunk.com/t5/Splunk-Search/Unique-host-list-but-only-when-the-of-hosts-is-lt-some-To-be/m-p/572148#M199405 <P>Edited to specify what the question is.&nbsp; &nbsp;Yeah, the search can be optimized, will change that. thanks...</P> Sun, 24 Oct 2021 12:30:54 GMT https://community.splunk.com/t5/Splunk-Search/Unique-host-list-but-only-when-the-of-hosts-is-lt-some-To-be/m-p/572148#M199405 sjringo 2021-10-24T12:30:54Z https://community.splunk.com/t5/Splunk-Search/Unique-host-list-but-only-when-the-of-hosts-is-lt-some-To-be/m-p/572150#M199406 <P>Since you have a multivalued field, you can do</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">&lt;your search&gt; | where mvcount(ServerList)&gt;10</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Sun, 24 Oct 2021 12:36:24 GMT https://community.splunk.com/t5/Splunk-Search/Unique-host-list-but-only-when-the-of-hosts-is-lt-some-To-be/m-p/572150#M199406 PickleRick 2021-10-24T12:36:24Z https://community.splunk.com/t5/Splunk-Search/Unique-host-list-but-only-when-the-of-hosts-is-lt-some-To-be/m-p/572151#M199407 <P>Was not aware of mvcount(...)&nbsp;</P><P>Thanks for you input and suggestions, its greatly appreciated !</P><P>&nbsp;</P> Sun, 24 Oct 2021 12:40:06 GMT https://community.splunk.com/t5/Splunk-Search/Unique-host-list-but-only-when-the-of-hosts-is-lt-some-To-be/m-p/572151#M199407 sjringo 2021-10-24T12:40:06Z