Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to search for and get all values of a field which occurred, but without the timestamps?

likejudo
Loves-to-Learn
‎07-24-2022 07:05 PM

I only want to know for field methodName=XYZ

All the methodNames that occurred. I do not want the timestamps for each occurrence.

So I want a table

ABC

DEF

...

XYZ

Labels (1)
Labels
0 Karma
Reply

JacekF
Path Finder
‎07-24-2022 10:01 PM

You can do the following:

| stats values(methodName) as methodName
| mvexpand methodName

The above will be limited to 100 unique values by default. If you have more values than that (Splunk will tell you if there are more) you can try different approach:

| stats count by methodName
| fields - methodName

| fields - count

0 Karma
Reply

likejudo
Loves-to-Learn
‎07-25-2022 05:16 AM

Thank you for your reply. There are hundreds of method names in our applications, in the splunk logs.

In the search bar I should enter this? fields - methodName

@JacekF wrote:

The above will be limited to 100 unique values by default. If you have more values than that (Splunk will tell you if there are more) you can try different approach:

| stats count by methodName
| fields - methodName



0 Karma
Reply

JacekF
Path Finder
‎07-25-2022 05:21 AM

I've made a mistake, there should be

| fields - count

sorry for that.

You need to add below part to the end of your query

| stats count by methodName
| fields - count

0 Karma
Reply

likejudo
Loves-to-Learn
‎07-25-2022 06:27 AM

I want the actual values of methodName, not a count. There will be hundreds but I just want the values, and not the timestamps, not the count.

0 Karma
Reply

JacekF
Path Finder
‎07-25-2022 06:31 AM

The stats function will return a table with two columns: methodName and count and as many rows as many you have different method names in methodName field.

The "| fields - count" command will remove count column leaving only methodName column.

0 Karma
Reply

likejudo
Loves-to-Learn
‎07-25-2022 10:13 AM

Thank you! I see a table with almost 2K entries. I clicked Save As and then tried to print to pdf.

However, it only has 4 pages when I open the pdf.

Is there any way to get it to save all 2K values?

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...