Splunk Search

Alternative of list(x)

sindhoo
Engager

Is there any alternative to list() function as it has limitation to return only 100 values? i have a multivalue list having more than 100 values and repeated, i need all of the values even duplicated. so i cant use list( because it only returns 100 value ) i cant use values(because i need duplicated values ).

0 Karma

woodcock
Esteemed Legend

The general approach is to convert the list(foo) to count BY foo. Now you know how many, but you lose the order. It would probably be better if you explained the entirety of your need for this solution and there is probably a better way to go about it.

0 Karma

DalJeanis
Legend

You said - "i have values more than hundred and i cant mention max value it can be in thousands or sometimes in millions , i need to divide that value in range by some columns , so i need all values."

It sounds like you are asking the wrong question. Please describe your actual use case, so that we can help you get what you need. What are you really trying to do?

Obviously, no human is going to look at a list of more than 100 values in a single event. A million values? That would be complete nonsense.

If you are trying to count the number of values or of records, then just count the number of values or of records, perhaps using | eventstats dc(foo) as distinctFoo count(Foo) as totalFoo by somefield.

0 Karma

sindhoo
Engager

I have score field which has numeric values from 0-1 ex 0.1,0.2,0.33,0.64 etc, and i have to show the result how many number of scores lie under these ranges
0-0.4 (280)
0.4-0.6 (10)
0.6-0.8 (0)
0.8-1(0)
so used rangemap, to set range of score,
basic search | rangemap field=score to40=0-0.4 to60=0.4-0.6 to80=0.6-0.8 to1=0.8-1| stats list(range) as r by field1, field2, field3, field4 | stats sum(alerts_count) as "Number Of Alerts Generated", list(facility_alerts) as Facilities list(r) as ranges by tenant, detector,ioi where as in range there are more than 100values but due to its limitation i am only getting 100 values in ranges

0 Karma

niketn
Legend

@sindhoo for us to assist you better please provide your current search and some sample data. Purpose of using multi-value instead of single value if it is more than 100. Also what would be maximum value otherwise.

You can use streamstats to add a counter to events by the field which have multiple values. Then you can use combine | eval field=counter+field to get the field where you would apply values(field) as each value will be unique.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

sindhoo
Engager

i have values more than hundred and i cant mention max value it can be in thousands or sometimes in millions , i need to divide that value in range by some columns , so i need all values.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...