Solved: Re: Distinct count limit workaround

nbharadwaj · ‎05-28-2011

So I use the following workaround to get over the 100k hurdle with distinct_count(field1)

....| stats count by field1 | stats count

However I need to include other metrics (field2, field3) in the same search. For example

....| stats avg(field2) avg(field3)

How can I compute all the three metrics in one search?

gkanapathy · ‎05-29-2011

I believe that limit has been removed as of version 4.2, so I think if you can upgrade, you can get around it easily that way.

View solution in original post

gkanapathy · ‎05-29-2011

I believe that limit has been removed as of version 4.2, so I think if you can upgrade, you can get around it easily that way.

sideview · ‎05-28-2011

It will make it a bit less efficient but eventstats can make a first pass for you.

Eventstats avg(field2) as f2 avg(field3) as f3 | stats first(f2) as f2 first(f3) as f3 count by field1 | stats count first(f2) as "avg field2" first(f3) as "avg field3"

Distinct count limit workaround

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!