Splunk Search
Highlighted

How do I obtain counts of search results fields within a head command eval-expression?

Path Finder

I have an index with events in it that, among others, have the fields shown at the bottom of this post

When I execute index = myindex="widget_a" | streamstats dc(chunk), the results include 9 events as expected. The chunk field is in the search results with 3 values (widgetachunka, widgetachunkb, and widgetachunk_c) as expected. My goal is to extend the query such that the search results includes only N events, where N is the number of unique chunk values evaluated at the time the search is run.

Something like: index = myindex="widget_a" | streamstats dc(chunk) | head (number_of_search_results_returned < number_of_chunk_values_returned.

I've tried index = myindex="widget_a" | streamstats dc(chunk) | head (stats count(_time) < stats count(chunk)), but the search job fails.

What is the syntax for obtaining counts of search result fields within a head command eval-expression, so I can compare them in the head command eval-expression and thus limit the number of events returned?

_time...........................chunk...............widget
2019-02-28T03:10:02.000-0500    widget_a_chunk_c    widget_a
2019-02-28T03:10:01.000-0500    widget_a_chunk_b    widget_a
2019-02-28T03:10:00.000-0500    widget_a_chunk_a    widget_a
2019-02-28T03:05:02.000-0500    widget_a_chunk_c    widget_a
2019-02-28T03:05:01.000-0500    widget_a_chunk_b    widget_a
2019-02-28T03:05:00.000-0500    widget_a_chunk_a    widget_a
2019-02-27T01:15:02.000-0500    widget_a_chunk_c    widget_a
2019-02-27T01:15:01.000-0500    widget_a_chunk_b    widget_a
2019-02-27T01:15:00.000-0500    widget_a_chunk_a    widget_a
0 Karma
Highlighted

Re: How do I obtain counts of search results fields within a head command eval-expression?

Splunk Employee
Splunk Employee

Hi

I think you need to do something like this

index = myindex="widgeta"
| eventstats dc(chunk) as number
ofchunkvalues_returned
| streamstats count
| where count

0 Karma
Highlighted

Re: How do I obtain counts of search results fields within a head command eval-expression?

Path Finder

@jbjerke_splunk

| eventstats dc(chunk) as number_of_chunk_values_returned - this part yields 3 as expected

| streamstats count - this part yields 9 - ???

| where count - this part causes the search job to fail

May I ask what your thinking behind your approach is? I assume you believe I don't need the head command?

0 Karma
Highlighted

Re: How do I obtain counts of search results fields within a head command eval-expression?

Splunk Employee
Splunk Employee

Sorry there was a typo in the first search

index = myindex="widgeta"
| eventstats dc(chunk) as number
ofchunkvalues_returned
| streamstats count
| where count

View solution in original post

Highlighted

Re: How do I obtain counts of search results fields within a head command eval-expression?

Splunk Employee
Splunk Employee

Ok so, the searches are being stripped from answer.

index = myindex="widget_a" 
| eventstats dc(chunk) as number_of_chunk_values_returned
| streamstats count
| where count<number_of_chunk_values_returned

The streamstats command creates a rowcount that you can use to filter with the where command. You cannot have dynamic values in the head command so it would not be helpful in this instance.

j

0 Karma
Highlighted

Re: How do I obtain counts of search results fields within a head command eval-expression?

Path Finder

@williamcharlton0028
Looking at your statement: My goal is to extend the query such that the search results includes only N events where N is the number of unique chunk values evaluated at the time the search is run.
For obtaining unique values, dedup didn't worked for you?
To my understanding you should try something like this
index=myindex widget="widget_a" | dedup chunk

0 Karma