Splunk Search

Values(x) showing too many results. Is there a way to limit the number of results to a field?

New Member

I am trying to limit the number of results shown when I use the values command. Here is my search:

index="mydata" earliest="-48h" latest=now
| stats count by Incident_ID Channel Source Destination File_Name Policies
| stats sum(count) as "Number of Events" values(Channel) as "Method" values(Policies) as "Violated Policies" values(Destination) as Destination values(File_Name) as "File Name" by Source
| convert timeformat="%H:%M:%S %d.%m.%Y." ctime(Time)
| sort - "Number of Events"

The search works fine, but what i am having an issues with is when i get hundreds of results within a field. Is there a way to limit the number of results to a field, say 10-15 results to a field?

Tags (2)
0 Karma
1 Solution

Path Finder

you can select a subset range of values in a multivalued field using mvindex. This example creates mv fields of all computers in the same subnet, then takes the first 3 as examples of computers in that subnet.

. . . | table computer_name subnet
      | mvcombine computer_name
      | eval examples = mvindex( computer_name, 0, 2 ) 
      | fields - computer_name

View solution in original post

Path Finder

you can select a subset range of values in a multivalued field using mvindex. This example creates mv fields of all computers in the same subnet, then takes the first 3 as examples of computers in that subnet.

. . . | table computer_name subnet
      | mvcombine computer_name
      | eval examples = mvindex( computer_name, 0, 2 ) 
      | fields - computer_name

View solution in original post

New Member

I am not trying to limit the number of records returned as you can do with head and top. This is an example of the date result and the field in this case that I want to limit is the "File Name". So lets say I only wanted to return (x) number of file names. For testing purposes lets say x=10

Source Number of Events Method Violated Policies Destination File Name
Doe, John 25771 MEDIA HPolicyName1 WD My Passport f:\myfilename1.msg - 813 KB
f:\myfilename2.msg - 813 KB
f:\myfilename3.msg - 813 KB
f:\myfilename4.msg - 813 KB
f:\myfilename5.msg - 813 KB
f:\myfilename6.msg - 813 KB
f:\myfilename7.msg - 813 KB
f:\myfilename8.msg - 813 KB
f:\myfilename9.msg - 813 KB
f:\myfilename10.msg - 813 KB
f:\myfilename11.msg - 813 KB
f:\myfilename12.msg - 813 KB
f:\myfilename13.msg - 813 KB
f:\myfilename14.msg - 813 KB
f:\myfilename15.msg - 813 KB
f:\myfilename16.msg - 813 KB
f:\myfilename17.msg - 813 KB
f:\myfilename18.msg - 813 KB
f:\myfilename19.msg - 813 KB
f:\myfilename20.msg - 813 KB

0 Karma

Path Finder

Hello,

Try with:
index="mydata" earliest="-48h" latest=now
| stats count by Incident_ID Channel Source Destination File_Name Policies
| stats sum(count) as "Number of Events" values(Channel) as "Method" values(Policies) as "Violated Policies" values(Destination) as Destination values(File_Name) as "File Name" by Source
| convert timeformat="%H:%M:%S %d.%m.%Y." ctime(Time)
| sort - "Number of Events"| head 15

0 Karma

Hi, patient and Sandrine
Limit and head as you used affect the number of event not the number of values of a given field.

the function value(X) gives us the list of all distinct values of the field X as a multi-value entry. So what ivanayala need is to reduce or limit that number of values.

0 Karma

New Member

I added some more information to my question. Thank you for replying.

0 Karma

Hi ivanayala,
Try with top command and add limit attribut like example index=_internal | stats count by soucetype | top limit= 3 sourcetype

0 Karma

New Member

I added some more information to my question. Thank you for replying.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!