Splunk Search
Highlighted

Values(x) showing too many results. Is there a way to limit the number of results to a field?

New Member

I am trying to limit the number of results shown when I use the values command. Here is my search:

index="mydata" earliest="-48h" latest=now
| stats count by Incident_ID Channel Source Destination File_Name Policies
| stats sum(count) as "Number of Events" values(Channel) as "Method" values(Policies) as "Violated Policies" values(Destination) as Destination values(File_Name) as "File Name" by Source
| convert timeformat="%H:%M:%S %d.%m.%Y." ctime(Time)
| sort - "Number of Events"

The search works fine, but what i am having an issues with is when i get hundreds of results within a field. Is there a way to limit the number of results to a field, say 10-15 results to a field?

Tags (2)
0 Karma
Highlighted

Re: Values(x) showing too many results. Is there a way to limit the number of results to a field?

Hi ivanayala,
Try with top command and add limit attribut like example index=_internal | stats count by soucetype | top limit= 3 sourcetype

0 Karma
Highlighted

Re: Values(x) showing too many results. Is there a way to limit the number of results to a field?

New Member

I added some more information to my question. Thank you for replying.

0 Karma
Highlighted

Re: Values(x) showing too many results. Is there a way to limit the number of results to a field?

Path Finder

Hello,

Try with:
index="mydata" earliest="-48h" latest=now
| stats count by IncidentID Channel Source Destination FileName Policies
| stats sum(count) as "Number of Events" values(Channel) as "Method" values(Policies) as "Violated Policies" values(Destination) as Destination values(File_Name) as "File Name" by Source
| convert timeformat="%H:%M:%S %d.%m.%Y." ctime(Time)
| sort - "Number of Events"| head 15

0 Karma
Highlighted

Re: Values(x) showing too many results. Is there a way to limit the number of results to a field?

New Member

I added some more information to my question. Thank you for replying.

0 Karma

Re: Values(x) showing too many results. Is there a way to limit the number of results to a field?

Hi, patient and Sandrine
Limit and head as you used affect the number of event not the number of values of a given field.

the function value(X) gives us the list of all distinct values of the field X as a multi-value entry. So what ivanayala need is to reduce or limit that number of values.

0 Karma
Highlighted

Re: Values(x) showing too many results. Is there a way to limit the number of results to a field?

New Member

I am not trying to limit the number of records returned as you can do with head and top. This is an example of the date result and the field in this case that I want to limit is the "File Name". So lets say I only wanted to return (x) number of file names. For testing purposes lets say x=10

Source Number of Events Method Violated Policies Destination File Name
Doe, John 25771 MEDIA HPolicyName1 WD My Passport f:\myfilename1.msg - 813 KB
f:\myfilename2.msg - 813 KB
f:\myfilename3.msg - 813 KB
f:\myfilename4.msg - 813 KB
f:\myfilename5.msg - 813 KB
f:\myfilename6.msg - 813 KB
f:\myfilename7.msg - 813 KB
f:\myfilename8.msg - 813 KB
f:\myfilename9.msg - 813 KB
f:\myfilename10.msg - 813 KB
f:\myfilename11.msg - 813 KB
f:\myfilename12.msg - 813 KB
f:\myfilename13.msg - 813 KB
f:\myfilename14.msg - 813 KB
f:\myfilename15.msg - 813 KB
f:\myfilename16.msg - 813 KB
f:\myfilename17.msg - 813 KB
f:\myfilename18.msg - 813 KB
f:\myfilename19.msg - 813 KB
f:\myfilename20.msg - 813 KB

0 Karma
Highlighted

Re: Values(x) showing too many results. Is there a way to limit the number of results to a field?

Path Finder

you can select a subset range of values in a multivalued field using mvindex. This example creates mv fields of all computers in the same subnet, then takes the first 3 as examples of computers in that subnet.

. . . | table computer_name subnet
      | mvcombine computer_name
      | eval examples = mvindex( computer_name, 0, 2 ) 
      | fields - computer_name

View solution in original post