Solved: Values(x) showing too many results. Is there a way...

ivanayala · ‎03-31-2015

I am trying to limit the number of results shown when I use the values command. Here is my search:

index="mydata" earliest="-48h" latest=now
| stats count by Incident_ID Channel Source Destination File_Name Policies
| stats sum(count) as "Number of Events" values(Channel) as "Method" values(Policies) as "Violated Policies" values(Destination) as Destination values(File_Name) as "File Name" by Source
| convert timeformat="%H:%M:%S %d.%m.%Y." ctime(Time)
| sort - "Number of Events"

The search works fine, but what i am having an issues with is when i get hundreds of results within a field. Is there a way to limit the number of results to a field, say 10-15 results to a field?

templets · ‎02-13-2017

you can select a subset range of values in a multivalued field using mvindex. This example creates mv fields of all computers in the same subnet, then takes the first 3 as examples of computers in that subnet.

. . . | table computer_name subnet
      | mvcombine computer_name
      | eval examples = mvindex( computer_name, 0, 2 ) 
      | fields - computer_name

View solution in original post

templets · ‎02-13-2017

you can select a subset range of values in a multivalued field using mvindex. This example creates mv fields of all computers in the same subnet, then takes the first 3 as examples of computers in that subnet.

. . . | table computer_name subnet
      | mvcombine computer_name
      | eval examples = mvindex( computer_name, 0, 2 ) 
      | fields - computer_name

ivanayala · ‎03-31-2015

I am not trying to limit the number of records returned as you can do with head and top. This is an example of the date result and the field in this case that I want to limit is the "File Name". So lets say I only wanted to return (x) number of file names. For testing purposes lets say x=10

Source Number of Events Method Violated Policies Destination File Name
Doe, John 25771 MEDIA HPolicyName1 WD My Passport f:\myfilename1.msg - 813 KB
f:\myfilename2.msg - 813 KB
f:\myfilename3.msg - 813 KB
f:\myfilename4.msg - 813 KB
f:\myfilename5.msg - 813 KB
f:\myfilename6.msg - 813 KB
f:\myfilename7.msg - 813 KB
f:\myfilename8.msg - 813 KB
f:\myfilename9.msg - 813 KB
f:\myfilename10.msg - 813 KB
f:\myfilename11.msg - 813 KB
f:\myfilename12.msg - 813 KB
f:\myfilename13.msg - 813 KB
f:\myfilename14.msg - 813 KB
f:\myfilename15.msg - 813 KB
f:\myfilename16.msg - 813 KB
f:\myfilename17.msg - 813 KB
f:\myfilename18.msg - 813 KB
f:\myfilename19.msg - 813 KB
f:\myfilename20.msg - 813 KB

Patient · ‎03-31-2015

Hello,

Try with:
index="mydata" earliest="-48h" latest=now
| stats count by Incident_ID Channel Source Destination File_Name Policies
| stats sum(count) as "Number of Events" values(Channel) as "Method" values(Policies) as "Violated Policies" values(Destination) as Destination values(File_Name) as "File Name" by Source
| convert timeformat="%H:%M:%S %d.%m.%Y." ctime(Time)
| sort - "Number of Events"| head 15

stephane_cyrill · ‎03-31-2015

Hi, patient and Sandrine
Limit and head as you used affect the number of event not the number of values of a given field.

the function value(X) gives us the list of all distinct values of the field X as a multi-value entry. So what ivanayala need is to reduce or limit that number of values.

ivanayala · ‎03-31-2015

I added some more information to my question. Thank you for replying.

ngatchasandra · ‎03-31-2015

Hi ivanayala,
Try with top command and add limit attribut like example index=_internal | stats count by soucetype | top limit= 3 sourcetype

ivanayala · ‎03-31-2015

I added some more information to my question. Thank you for replying.

Values(x) showing too many results. Is there a way to limit the number of results to a field?

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout