Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How can we limit the tstats record?

sumitnagal
Path Finder
‎06-29-2020 02:09 PM

I am using tstats command from a while, right now we want to make tstats command to limit record as we are using in kubernetes and there are way too many events. I have looked around and don't see limit option. though as a work around I use `| head 100` to limit but that won't stop processing the main search query.

Labels (1)
Labels
0 Karma
Reply

jonaclough
Path Finder
‎01-20-2023 02:28 AM

If you want to filter by column try something like this

| tstats allow_old_summaries=t summariesonly=t 
count min(_time) as first_time max(_time) as last_time 
from datamodel=Network_Traffic 
where All_Traffic.action="allowed"
by All_Traffic.dvc All_Traffic.rule All_Traffic.src_ip All_Traffic.dest All_Traffic.dest_port All_Traffic.action All_Traffic.transport
| rename All_Traffic.* as * 
| sort 0 - last_time
| convert ctime(first_time) ctime(last_time)
| fields dvc rule src_ip dest dest_port transport count first_time last_time action
0 Karma
Reply

LIS
Path Finder
‎01-20-2023 12:21 AM

Maybe it is correct from theoretical side, but it was checked in a practical way:

In comparison query with prestats for the same data and time frame takes 0.874 seconds

| tstats prestats=t count(your field) where index=index by field

| head 50

| stats count(your field) by field

This search has completed and has returned 5 results by scanning 6,460 events in 0.874 seconds

 

While without prestats - > 6.305 seconds

| tstats count(your field) where index=index by field

| head 50

This search has completed and has returned 5 results by scanning 76,972 events in 6.305 seconds

 

Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-20-2023 05:43 AM

Interesting!  Thanks for sharing!

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-29-2020 02:53 PM
The short answer is you can't.
You can limit the tstats results with the where clause, but there's no way to stop it after a certain number of results, just like with the implicit search command in non-tstats queries.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

LIS
Path Finder
‎01-19-2023 02:58 PM

This is possible with argument prestats=t and then for example command stats:

| tstats prestats=t count(your field) where index=index by field

| head 50

| stats count(your field) by field

 

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-19-2023 05:01 PM

That will limit the number of results, but as the OP says, it has no effect on the number of events read from disk.

---
If this reply helps you, Karma would be appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...