Show All the Results within the Field

keldridg2 · ‎10-23-2019

I want to show all the results within the field itself as I do not want it just show the top 10 limits from the list. I would like to see the result that lowest number of results. Is there a command out there that can show you unlimited results?

aberkow · ‎10-23-2019

The values and list functions of the stats command in a search might be what you're looking for based on your question, but I agree with the person above that we likely need a bit more information to adequately answer your question. If you want to try running a search, something like this might be it:

your initial search... | stats values(field) as uniqueValuesFromField, list(field) as listOfValuesFromField by whateverGroupByYouWantOrNone

another interpretation of your question: you want to see the result with the lowest count:

your initial search... | stats count by field

Let me know if either of these help!

EDIT -- Using stats with the min function seemed to work here

Sahr_Lebbie · ‎10-23-2019

Keldrig2, What search are you running?

And are you wanting to see the values from the field based on the interesting fields or are you okay with looking at all the results in a table format?

keldridg2 · ‎10-23-2019

I am searching for a eventtype in looking for the lowest values. I do want to see the field based from the interesting fields.

aberkow · ‎10-24-2019

Try using the min function in a stats command then?

keldridg2 · ‎10-24-2019

Yes, that help me out.

Show All the Results within the Field

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?