Archive

Distinct count limit workaround

Path Finder

So I use the following workaround to get over the 100k hurdle with distinct_count(field1)

....| stats count by field1 | stats count

However I need to include other metrics (field2, field3) in the same search. For example

....| stats avg(field2) avg(field3)

How can I compute all the three metrics in one search?

Tags (1)
Highlighted

Re: Distinct count limit workaround

SplunkTrust
SplunkTrust

It will make it a bit less efficient but eventstats can make a first pass for you.

Eventstats avg(field2) as f2 avg(field3) as f3 | stats first(f2) as f2 first(f3) as f3 count by field1 | stats count first(f2) as "avg field2" first(f3) as "avg field3"  
0 Karma
Highlighted

Re: Distinct count limit workaround

Splunk Employee
Splunk Employee

I believe that limit has been removed as of version 4.2, so I think if you can upgrade, you can get around it easily that way.

View solution in original post

0 Karma