Splunk Search

Values(x) showing too many results. Is there a way to limit the number of results to a field?

ivanayala
New Member

I am trying to limit the number of results shown when I use the values command. Here is my search:

index="mydata" earliest="-48h" latest=now
| stats count by Incident_ID Channel Source Destination File_Name Policies
| stats sum(count) as "Number of Events" values(Channel) as "Method" values(Policies) as "Violated Policies" values(Destination) as Destination values(File_Name) as "File Name" by Source
| convert timeformat="%H:%M:%S %d.%m.%Y." ctime(Time)
| sort - "Number of Events"

The search works fine, but what i am having an issues with is when i get hundreds of results within a field. Is there a way to limit the number of results to a field, say 10-15 results to a field?

Tags (2)
0 Karma
1 Solution

templets
Path Finder

you can select a subset range of values in a multivalued field using mvindex. This example creates mv fields of all computers in the same subnet, then takes the first 3 as examples of computers in that subnet.

. . . | table computer_name subnet
      | mvcombine computer_name
      | eval examples = mvindex( computer_name, 0, 2 ) 
      | fields - computer_name

View solution in original post

templets
Path Finder

you can select a subset range of values in a multivalued field using mvindex. This example creates mv fields of all computers in the same subnet, then takes the first 3 as examples of computers in that subnet.

. . . | table computer_name subnet
      | mvcombine computer_name
      | eval examples = mvindex( computer_name, 0, 2 ) 
      | fields - computer_name

ivanayala
New Member

I am not trying to limit the number of records returned as you can do with head and top. This is an example of the date result and the field in this case that I want to limit is the "File Name". So lets say I only wanted to return (x) number of file names. For testing purposes lets say x=10

Source Number of Events Method Violated Policies Destination File Name
Doe, John 25771 MEDIA HPolicyName1 WD My Passport f:\myfilename1.msg - 813 KB
f:\myfilename2.msg - 813 KB
f:\myfilename3.msg - 813 KB
f:\myfilename4.msg - 813 KB
f:\myfilename5.msg - 813 KB
f:\myfilename6.msg - 813 KB
f:\myfilename7.msg - 813 KB
f:\myfilename8.msg - 813 KB
f:\myfilename9.msg - 813 KB
f:\myfilename10.msg - 813 KB
f:\myfilename11.msg - 813 KB
f:\myfilename12.msg - 813 KB
f:\myfilename13.msg - 813 KB
f:\myfilename14.msg - 813 KB
f:\myfilename15.msg - 813 KB
f:\myfilename16.msg - 813 KB
f:\myfilename17.msg - 813 KB
f:\myfilename18.msg - 813 KB
f:\myfilename19.msg - 813 KB
f:\myfilename20.msg - 813 KB

0 Karma

Patient
Path Finder

Hello,

Try with:
index="mydata" earliest="-48h" latest=now
| stats count by Incident_ID Channel Source Destination File_Name Policies
| stats sum(count) as "Number of Events" values(Channel) as "Method" values(Policies) as "Violated Policies" values(Destination) as Destination values(File_Name) as "File Name" by Source
| convert timeformat="%H:%M:%S %d.%m.%Y." ctime(Time)
| sort - "Number of Events"| head 15

0 Karma

stephane_cyrill
Builder

Hi, patient and Sandrine
Limit and head as you used affect the number of event not the number of values of a given field.

the function value(X) gives us the list of all distinct values of the field X as a multi-value entry. So what ivanayala need is to reduce or limit that number of values.

0 Karma

ivanayala
New Member

I added some more information to my question. Thank you for replying.

0 Karma

ngatchasandra
Builder

Hi ivanayala,
Try with top command and add limit attribut like example index=_internal | stats count by soucetype | top limit= 3 sourcetype

0 Karma

ivanayala
New Member

I added some more information to my question. Thank you for replying.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...