topic Re: How can we limit the tstats record? in Splunk Search

How can we limit the tstats record?

sumitnagal — Thu, 19 Jan 2023 23:19:02 GMT

I am using tstats command from a while, right now we want to make tstats command to limit record as we are using in kubernetes and there are way too many events. I have looked around and don't see limit option. though as a work around I use `| head 100` to limit but that won't stop processing the main search query.

Re: how can we limit the tstats record

richgalloway — Mon, 29 Jun 2020 21:53:44 GMT

The short answer is you can't.
You can limit the tstats results with the where clause, but there's no way to stop it after a certain number of results, just like with the implicit search command in non-tstats queries.

Re: how can we limit the tstats record

LIS — Thu, 19 Jan 2023 22:58:51 GMT

This is possible with argument prestats=t and then for example command stats:

| tstats prestats=t count(your field) where index=index by field

| head 50

| stats count(your field) by field

Re: how can we limit the tstats record

richgalloway — Fri, 20 Jan 2023 01:01:43 GMT

That will limit the number of results, but as the OP says, it has no effect on the number of events read from disk.

Re: How can we limit the tstats record?

LIS — Fri, 20 Jan 2023 08:21:08 GMT

Maybe it is correct from theoretical side, but it was checked in a practical way:

In comparison query with prestats for the same data and time frame takes 0.874 seconds

| tstats prestats=t count(your field) where index=index by field

| head 50

| stats count(your field) by field

This search has completed and has returned 5 results by scanning 6,460 events in 0.874 seconds

While without prestats - > 6.305 seconds

| tstats count(your field) where index=index by field

| head 50

This search has completed and has returned 5 results by scanning 76,972 events in 6.305 seconds

Re: How can we limit the tstats record?

jonaclough — Fri, 20 Jan 2023 10:28:56 GMT

If you want to filter by column try something like this

| tstats allow_old_summaries=t summariesonly=t count min(_time) as first_time max(_time) as last_time from datamodel=Network_Traffic where All_Traffic.action="allowed" by All_Traffic.dvc All_Traffic.rule All_Traffic.src_ip All_Traffic.dest All_Traffic.dest_port All_Traffic.action All_Traffic.transport | rename All_Traffic.* as * | sort 0 - last_time | convert ctime(first_time) ctime(last_time) | fields dvc rule src_ip dest dest_port transport count first_time last_time action

Re: How can we limit the tstats record?

richgalloway — Fri, 20 Jan 2023 13:43:59 GMT

Interesting! Thanks for sharing!