Splunk Search
Highlighted

Is there an alternative to the stats list and values functions to get my expected result?

Path Finder

I'm having problems with getting all the values to display when using this:

|stats count, values(host) as Host, list(Time1), list(Time2) by devtype

It shows me a count of all the hosts for each devtype. There can be hundreds of hosts for each devtype, so it's only displaying the first 100 results for the Time1 and Time2 fields which I know is a limitation for list but I can't use values for the time fields because there can be duplicate values and won't work.

Anyone have a suggestion for another way of getting everything to display??

Highlighted

Re: Is there an alternative to the stats list and values functions to get my expected result?

Legend

Try this

... | stats count by devtype host Time1 Time2 
Highlighted

Re: Is there an alternative to the stats list and values functions to get my expected result?

Path Finder

Not quite what I'm looking for. I'm trying to get each unique devtype to display once and show all the hosts within that location and the times for each host - only there's hundreds of hosts for each devtype:

Example:
devtype host time1 time2
Dell host1 10:00:00 11:00:00
HP host2 10:00:00 10:30:00
host3 12:00:00 13:00:00
host4 12:30:00 14:00:00
IBM host5 07:00:00 08:00:00
host6 07:00:00 08:00:00

0 Karma
Highlighted

Re: Is there an alternative to the stats list and values functions to get my expected result?

Path Finder

This isn't quite what I'm looking for.
This results with the devtype being listed for every host. I'm trying to show each devtype once and then show each host and the times for each host.

0 Karma
Highlighted

Re: Is there an alternative to the stats list and values functions to get my expected result?

Motivator

Values(x) has an implied dedup. List(x) will list all values

0 Karma
Highlighted

Re: Is there an alternative to the stats list and values functions to get my expected result?

Path Finder

LIst(x) has a limit of returning the first 100 - that's the issue at hand

0 Karma
Highlighted

Re: Is there an alternative to the stats list and values functions to get my expected result?

SplunkTrust
SplunkTrust

Give this a try

your base search |stats count latest(Time1) as Time1 latest(Time2) as Time2 by devtype host 
| stats sum(count) as count list(host) as Host list(Time1), list(Time2) by devtype
0 Karma
Highlighted

Re: Is there an alternative to the stats list and values functions to get my expected result?

Path Finder

thanks but that's still limiting to 100 hosts

0 Karma
Highlighted

Re: Is there an alternative to the stats list and values functions to get my expected result?

Engager

I am also facing same issue, did you find any solution?

0 Karma