Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What's the difference between chart functions list() and values()? Is there a similar function that doesn't dedup?

twinspop
Influencer
‎02-15-2013 02:43 PM

Both list() and values() return distinct values of an MV field. Although list() claims to return the values in the order received, real world use isn't proving that out. It is also (apparently) lexicographically sorted, contrary to the docs. Is there a function that will return all values, dups and all, in the order of the log entries?

Example:

index=uexlog sid | transaction SID | stats list(uri) as URIs list(rtt) as RTT by SID

Returns a list of SIDs, each with a list of URIs hit for that session and a list of RTTs. However, because list() dedups, the URIs and RTTs don't match up. And the list of URIs is most definitely in lexicographical order, not the original order of the events as received.

Thanks,
Jon

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-15-2013 04:15 PM

list() does not dedup. Consider this query:

| gentimes start=-1 increment=1h | eval foo=0 | stats list(foo) values(foo)

It yields 24 zeroes for list() and 1 zero for values().

However, by default list() is limited to only yield the first 100 values, see http://docs.splunk.com/Documentation/Splunk/latest/admin/limitsconf (list_maxsize).

You can test your local limit with this:

| gentimes start=-1 increment=1s | eval foo = starttime % 10000  | stats list(foo) values(foo)

You'll get 50 displayed each, with list having 50 more values and values having 9950 more values using the default limits.conf settings.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-15-2013 04:15 PM

list() does not dedup. Consider this query:

| gentimes start=-1 increment=1h | eval foo=0 | stats list(foo) values(foo)

It yields 24 zeroes for list() and 1 zero for values().

However, by default list() is limited to only yield the first 100 values, see http://docs.splunk.com/Documentation/Splunk/latest/admin/limitsconf (list_maxsize).

You can test your local limit with this:

| gentimes start=-1 increment=1s | eval foo = starttime % 10000  | stats list(foo) values(foo)

You'll get 50 displayed each, with list having 50 more values and values having 9950 more values using the default limits.conf settings.

Reply
Solved! Jump to solution

fujimori
New Member
‎09-14-2016 10:44 PM

good answer!

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-15-2013 04:30 PM

Here's one with multivalue string fields:

| gentimes start=-1 increment=1h | eval f1 = starttime % 7200 . "foo" | eval f2 = starttime % 10800 . "foo" | eval f = f1.",".f2 | fields - f1 f2 | makemv f delim="," | stats list(f) values(f)

Does not dedup for me.

Edit: Indeed, transaction can be a bugger.

0 Karma
Reply
Solved! Jump to solution

swarnkar
Explorer
‎09-13-2016 02:50 AM

Is there a way to get list() finctionality with tstats...In my app we are currently using tstats to read from a Accelerated datamodel, but in one of the situation we need to retrieve multivalued field with sequence of the values intact. Which is possible with list(), But tstats doent support list().

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎09-13-2016 06:46 PM

tstats isn't great with ordering... Ideally, you'd open a new question for this to explore the possibilities and alternatives.

0 Karma
Reply
Solved! Jump to solution

swarnkar
Explorer
‎09-14-2016 10:10 PM

Sure I will. Thanks a lot for the response.

0 Karma
Reply
Solved! Jump to solution

twinspop
Influencer
‎02-15-2013 04:24 PM

Dammit. You're right. The transaction command is the one getting me. Need mvlist=t. Apologies. Thanks for the help.

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...