Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to search for and get all values of a field which occurred, but without the timestamps?

likejudo
Loves-to-Learn
‎07-24-2022 07:05 PM

I only want to know for field methodName=XYZ

All the methodNames that occurred. I do not want the timestamps for each occurrence.

So I want a table

ABC

DEF

...

XYZ

Labels (1)
Labels
0 Karma
Reply

JacekF
Path Finder
‎07-24-2022 10:01 PM

You can do the following:

| stats values(methodName) as methodName
| mvexpand methodName

The above will be limited to 100 unique values by default. If you have more values than that (Splunk will tell you if there are more) you can try different approach:

| stats count by methodName
| fields - methodName

| fields - count

0 Karma
Reply

likejudo
Loves-to-Learn
‎07-25-2022 05:16 AM

Thank you for your reply. There are hundreds of method names in our applications, in the splunk logs.

In the search bar I should enter this? fields - methodName

@JacekF wrote:

The above will be limited to 100 unique values by default. If you have more values than that (Splunk will tell you if there are more) you can try different approach:

| stats count by methodName
| fields - methodName



0 Karma
Reply

JacekF
Path Finder
‎07-25-2022 05:21 AM

I've made a mistake, there should be

| fields - count

sorry for that.

You need to add below part to the end of your query

| stats count by methodName
| fields - count

0 Karma
Reply

likejudo
Loves-to-Learn
‎07-25-2022 06:27 AM

I want the actual values of methodName, not a count. There will be hundreds but I just want the values, and not the timestamps, not the count.

0 Karma
Reply

JacekF
Path Finder
‎07-25-2022 06:31 AM

The stats function will return a table with two columns: methodName and count and as many rows as many you have different method names in methodName field.

The "| fields - count" command will remove count column leaving only methodName column.

0 Karma
Reply

likejudo
Loves-to-Learn
‎07-25-2022 10:13 AM

Thank you! I see a table with almost 2K entries. I clicked Save As and then tried to print to pdf.

However, it only has 4 pages when I open the pdf.

Is there any way to get it to save all 2K values?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...