Solved: How do I obtain counts of search results fields wi...

williamcharlton · ‎03-06-2019

I have an index with events in it that, among others, have the fields shown at the bottom of this post

When I execute index = myindex="widget_a" | streamstats dc(chunk), the results include 9 events as expected. The chunk field is in the search results with 3 values (widget_a_chunk_a, widget_a_chunk_b, and widget_a_chunk_c) as expected. My goal is to extend the query such that the search results includes only N events, where N is the number of unique chunk values evaluated at the time the search is run.

Something like: index = myindex="widget_a" | streamstats dc(chunk) | head (number_of_search_results_returned < number_of_chunk_values_returned.

I've tried index = myindex="widget_a" | streamstats dc(chunk) | head (stats count(_time) < stats count(chunk)), but the search job fails.

What is the syntax for obtaining counts of search result fields within a head command eval-expression, so I can compare them in the head command eval-expression and thus limit the number of events returned?

_time...........................chunk...............widget
2019-02-28T03:10:02.000-0500    widget_a_chunk_c    widget_a
2019-02-28T03:10:01.000-0500    widget_a_chunk_b    widget_a
2019-02-28T03:10:00.000-0500    widget_a_chunk_a    widget_a
2019-02-28T03:05:02.000-0500    widget_a_chunk_c    widget_a
2019-02-28T03:05:01.000-0500    widget_a_chunk_b    widget_a
2019-02-28T03:05:00.000-0500    widget_a_chunk_a    widget_a
2019-02-27T01:15:02.000-0500    widget_a_chunk_c    widget_a
2019-02-27T01:15:01.000-0500    widget_a_chunk_b    widget_a
2019-02-27T01:15:00.000-0500    widget_a_chunk_a    widget_a

jbjerke_splunk · ‎03-06-2019

Sorry there was a typo in the first search

index = myindex="widget_a"
| eventstats dc(chunk) as number_of_chunk_values_returned
| streamstats count
| where count

View solution in original post

cvssravan · ‎03-06-2019

@williamcharlton0028
Looking at your statement: My goal is to extend the query such that the search results includes only N events where N is the number of unique chunk values evaluated at the time the search is run.
For obtaining unique values, dedup didn't worked for you?
To my understanding you should try something like this
index=myindex widget="widget_a" | dedup chunk

jbjerke_splunk · ‎03-06-2019

Sorry there was a typo in the first search

index = myindex="widget_a"
| eventstats dc(chunk) as number_of_chunk_values_returned
| streamstats count
| where count

jbjerke_splunk · ‎03-06-2019

Ok so, the searches are being stripped from answer.

index = myindex="widget_a" 
| eventstats dc(chunk) as number_of_chunk_values_returned
| streamstats count
| where count<number_of_chunk_values_returned

The streamstats command creates a rowcount that you can use to filter with the where command. You cannot have dynamic values in the head command so it would not be helpful in this instance.

j

jbjerke_splunk · ‎03-06-2019

Hi

I think you need to do something like this

index = myindex="widget_a"
| eventstats dc(chunk) as number_of_chunk_values_returned
| streamstats count
| where count

williamcharlton · ‎03-06-2019

@jbjerke_splunk

| eventstats dc(chunk) as number_of_chunk_values_returned - this part yields 3 as expected

| streamstats count - this part yields 9 - ???

| where count - this part causes the search job to fail

May I ask what your thinking behind your approach is? I assume you believe I don't need the head command?

How do I obtain counts of search results fields within a head command eval-expression?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life