- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Alternative of list(x)
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Alternative of list(x)
Is there any alternative to list() function as it has limitation to return only 100 values? i have a multivalue list having more than 100 values and repeated, i need all of the values even duplicated. so i cant use list( because it only returns 100 value ) i cant use values(because i need duplicated values ).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The general approach is to convert the list(foo) to count BY foo. Now you know how many, but you lose the order. It would probably be better if you explained the entirety of your need for this solution and there is probably a better way to go about it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You said - "i have values more than hundred and i cant mention max value it can be in thousands or sometimes in millions , i need to divide that value in range by some columns , so i need all values."
It sounds like you are asking the wrong question. Please describe your actual use case, so that we can help you get what you need. What are you really trying to do?
Obviously, no human is going to look at a list of more than 100 values in a single event. A million values? That would be complete nonsense.
If you are trying to count the number of values or of records, then just count the number of values or of records, perhaps using | eventstats dc(foo) as distinctFoo count(Foo) as totalFoo by somefield.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have score field which has numeric values from 0-1 ex 0.1,0.2,0.33,0.64 etc, and i have to show the result how many number of scores lie under these ranges
0-0.4 (280)
0.4-0.6 (10)
0.6-0.8 (0)
0.8-1(0)
so used rangemap, to set range of score,
basic search | rangemap field=score to40=0-0.4 to60=0.4-0.6 to80=0.6-0.8 to1=0.8-1| stats list(range) as r by field1, field2, field3, field4 | stats sum(alerts_count) as "Number Of Alerts Generated", list(facility_alerts) as Facilities list(r) as ranges by tenant, detector,ioi where as in range there are more than 100values but due to its limitation i am only getting 100 values in ranges
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@sindhoo for us to assist you better please provide your current search and some sample data. Purpose of using multi-value instead of single value if it is more than 100. Also what would be maximum value otherwise.
You can use streamstats to add a counter to events by the field which have multiple values. Then you can use combine | eval field=counter+field to get the field where you would apply values(field) as each value will be unique.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i have values more than hundred and i cant mention max value it can be in thousands or sometimes in millions , i need to divide that value in range by some columns , so i need all values.
New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...
Alerting Best Practices: How to Create Good Detectors
Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...
