Splunk Search

What's the difference between chart functions list() and values()? Is there a similar function that doesn't dedup?

twinspop
Influencer

Both list() and values() return distinct values of an MV field. Although list() claims to return the values in the order received, real world use isn't proving that out. It is also (apparently) lexicographically sorted, contrary to the docs. Is there a function that will return all values, dups and all, in the order of the log entries?

Example:

index=uexlog sid | transaction SID | stats list(uri) as URIs list(rtt) as RTT by SID 

Returns a list of SIDs, each with a list of URIs hit for that session and a list of RTTs. However, because list() dedups, the URIs and RTTs don't match up. And the list of URIs is most definitely in lexicographical order, not the original order of the events as received.

Thanks,
Jon

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

list() does not dedup. Consider this query:

| gentimes start=-1 increment=1h | eval foo=0 | stats list(foo) values(foo)

It yields 24 zeroes for list() and 1 zero for values().

However, by default list() is limited to only yield the first 100 values, see http://docs.splunk.com/Documentation/Splunk/latest/admin/limitsconf (list_maxsize).

You can test your local limit with this:

| gentimes start=-1 increment=1s | eval foo = starttime % 10000  | stats list(foo) values(foo)

You'll get 50 displayed each, with list having 50 more values and values having 9950 more values using the default limits.conf settings.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

list() does not dedup. Consider this query:

| gentimes start=-1 increment=1h | eval foo=0 | stats list(foo) values(foo)

It yields 24 zeroes for list() and 1 zero for values().

However, by default list() is limited to only yield the first 100 values, see http://docs.splunk.com/Documentation/Splunk/latest/admin/limitsconf (list_maxsize).

You can test your local limit with this:

| gentimes start=-1 increment=1s | eval foo = starttime % 10000  | stats list(foo) values(foo)

You'll get 50 displayed each, with list having 50 more values and values having 9950 more values using the default limits.conf settings.

fujimori
New Member

good answer!

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Here's one with multivalue string fields:

| gentimes start=-1 increment=1h | eval f1 = starttime % 7200 . "foo" | eval f2 = starttime % 10800 . "foo" | eval f = f1.",".f2 | fields - f1 f2 | makemv f delim="," | stats list(f) values(f)

Does not dedup for me.

Edit: Indeed, transaction can be a bugger.

0 Karma

swarnkar
Explorer

Is there a way to get list() finctionality with tstats...In my app we are currently using tstats to read from a Accelerated datamodel, but in one of the situation we need to retrieve multivalued field with sequence of the values intact. Which is possible with list(), But tstats doent support list().

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

tstats isn't great with ordering... Ideally, you'd open a new question for this to explore the possibilities and alternatives.

0 Karma

swarnkar
Explorer

Sure I will. Thanks a lot for the response.

0 Karma

twinspop
Influencer

Dammit. You're right. The transaction command is the one getting me. Need mvlist=t. Apologies. Thanks for the help.

Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...