I have an index with events in it that, among others, have the fields shown at the bottom of this post
When I execute index = myindex="widget_a" | streamstats dc(chunk)
, the results include 9 events as expected. The chunk field is in the search results with 3 values (widget_a_chunk_a, widget_a_chunk_b, and widget_a_chunk_c) as expected. My goal is to extend the query such that the search results includes only N events, where N is the number of unique chunk values evaluated at the time the search is run.
Something like: index = myindex="widget_a" | streamstats dc(chunk) | head (number_of_search_results_returned < number_of_chunk_values_returned
.
I've tried index = myindex="widget_a" | streamstats dc(chunk) | head (stats count(_time) < stats count(chunk))
, but the search job fails.
What is the syntax for obtaining counts of search result fields within a head command eval-expression, so I can compare them in the head command eval-expression and thus limit the number of events returned?
_time...........................chunk...............widget
2019-02-28T03:10:02.000-0500 widget_a_chunk_c widget_a
2019-02-28T03:10:01.000-0500 widget_a_chunk_b widget_a
2019-02-28T03:10:00.000-0500 widget_a_chunk_a widget_a
2019-02-28T03:05:02.000-0500 widget_a_chunk_c widget_a
2019-02-28T03:05:01.000-0500 widget_a_chunk_b widget_a
2019-02-28T03:05:00.000-0500 widget_a_chunk_a widget_a
2019-02-27T01:15:02.000-0500 widget_a_chunk_c widget_a
2019-02-27T01:15:01.000-0500 widget_a_chunk_b widget_a
2019-02-27T01:15:00.000-0500 widget_a_chunk_a widget_a
Sorry there was a typo in the first search
index = myindex="widget_a"
| eventstats dc(chunk) as number_of_chunk_values_returned
| streamstats count
| where count
@williamcharlton0028
Looking at your statement: My goal is to extend the query such that the search results includes only N events where N is the number of unique chunk values evaluated at the time the search is run.
For obtaining unique values, dedup didn't worked for you?
To my understanding you should try something like this
index=myindex widget="widget_a" | dedup chunk
Sorry there was a typo in the first search
index = myindex="widget_a"
| eventstats dc(chunk) as number_of_chunk_values_returned
| streamstats count
| where count
Ok so, the searches are being stripped from answer.
index = myindex="widget_a"
| eventstats dc(chunk) as number_of_chunk_values_returned
| streamstats count
| where count<number_of_chunk_values_returned
The streamstats command creates a rowcount that you can use to filter with the where command. You cannot have dynamic values in the head command so it would not be helpful in this instance.
j
Hi
I think you need to do something like this
index = myindex="widget_a"
| eventstats dc(chunk) as number_of_chunk_values_returned
| streamstats count
| where count
@jbjerke_splunk
| eventstats dc(chunk) as number_of_chunk_values_returned
- this part yields 3 as expected
| streamstats count
- this part yields 9 - ???
| where count
- this part causes the search job to fail
May I ask what your thinking behind your approach is? I assume you believe I don't need the head
command?