topic Re: Values(x) showing too many results. Is there a way to limit the number of results to a field? in Splunk Search

Values(x) showing too many results. Is there a way to limit the number of results to a field?

ivanayala — Tue, 31 Mar 2015 17:00:04 GMT

I am trying to limit the number of results shown when I use the values command. Here is my search:

index="mydata" earliest="-48h" latest=now
| stats count by Incident_ID Channel Source Destination File_Name Policies
| stats sum(count) as "Number of Events" values(Channel) as "Method" values(Policies) as "Violated Policies" values(Destination) as Destination values(File_Name) as "File Name" by Source
| convert timeformat="%H:%M:%S %d.%m.%Y." ctime(Time)
| sort - "Number of Events"

The search works fine, but what i am having an issues with is when i get hundreds of results within a field. Is there a way to limit the number of results to a field, say 10-15 results to a field?

Re: Values(x) showing too many results. Is there a way to limit the number of results to a field?

ngatchasandra — Tue, 31 Mar 2015 17:20:59 GMT

Hi ivanayala,
Try with top command and add limit attribut like example index=_internal | stats count by soucetype | top limit= 3 sourcetype

Re: Values(x) showing too many results. Is there a way to limit the number of results to a field?

Patient — Mon, 28 Sep 2020 19:23:28 GMT

Hello,

Try with:
index="mydata" earliest="-48h" latest=now
| stats count by Incident_ID Channel Source Destination File_Name Policies
| stats sum(count) as "Number of Events" values(Channel) as "Method" values(Policies) as "Violated Policies" values(Destination) as Destination values(File_Name) as "File Name" by Source
| convert timeformat="%H:%M:%S %d.%m.%Y." ctime(Time)
| sort - "Number of Events"| head 15

Re: Values(x) showing too many results. Is there a way to limit the number of results to a field?

ivanayala — Tue, 31 Mar 2015 17:45:36 GMT

I am not trying to limit the number of records returned as you can do with head and top. This is an example of the date result and the field in this case that I want to limit is the "File Name". So lets say I only wanted to return (x) number of file names. For testing purposes lets say x=10

Source Number of Events Method Violated Policies Destination File Name
Doe, John 25771 MEDIA HPolicyName1 WD My Passport f:\myfilename1.msg - 813 KB
f:\myfilename2.msg - 813 KB
f:\myfilename3.msg - 813 KB
f:\myfilename4.msg - 813 KB
f:\myfilename5.msg - 813 KB
f:\myfilename6.msg - 813 KB
f:\myfilename7.msg - 813 KB
f:\myfilename8.msg - 813 KB
f:\myfilename9.msg - 813 KB
f:\myfilename10.msg - 813 KB
f:\myfilename11.msg - 813 KB
f:\myfilename12.msg - 813 KB
f:\myfilename13.msg - 813 KB
f:\myfilename14.msg - 813 KB
f:\myfilename15.msg - 813 KB
f:\myfilename16.msg - 813 KB
f:\myfilename17.msg - 813 KB
f:\myfilename18.msg - 813 KB
f:\myfilename19.msg - 813 KB
f:\myfilename20.msg - 813 KB

Re: Values(x) showing too many results. Is there a way to limit the number of results to a field?

ivanayala — Tue, 31 Mar 2015 17:46:11 GMT

I added some more information to my question. Thank you for replying.

Re: Values(x) showing too many results. Is there a way to limit the number of results to a field?

ivanayala — Tue, 31 Mar 2015 17:46:18 GMT

I added some more information to my question. Thank you for replying.

Re: Values(x) showing too many results. Is there a way to limit the number of results to a field?

stephane_cyrill — Tue, 31 Mar 2015 18:50:29 GMT

Hi, patient and Sandrine
Limit and head as you used affect the number of event not the number of values of a given field.

the function value(X) gives us the list of all distinct values of the field X as a multi-value entry. So what ivanayala need is to reduce or limit that number of values.

Re: Values(x) showing too many results. Is there a way to limit the number of results to a field?

templets — Mon, 13 Feb 2017 21:48:15 GMT

you can select a subset range of values in a multivalued field using mvindex. This example creates mv fields of all computers in the same subnet, then takes the first 3 as examples of computers in that subnet.

. . . | table computer_name subnet
      | mvcombine computer_name
      | eval examples = mvindex( computer_name, 0, 2 ) 
      | fields - computer_name