- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Both list() and values() return distinct values of an MV field. Although list() claims to return the values in the order received, real world use isn't proving that out. It is also (apparently) lexicographically sorted, contrary to the docs. Is there a function that will return all values, dups and all, in the order of the log entries?
Example:
index=uexlog sid | transaction SID | stats list(uri) as URIs list(rtt) as RTT by SID
Returns a list of SIDs, each with a list of URIs hit for that session and a list of RTTs. However, because list() dedups, the URIs and RTTs don't match up. And the list of URIs is most definitely in lexicographical order, not the original order of the events as received.
Thanks,
Jon
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
list() does not dedup. Consider this query:
| gentimes start=-1 increment=1h | eval foo=0 | stats list(foo) values(foo)
It yields 24 zeroes for list() and 1 zero for values().
However, by default list() is limited to only yield the first 100 values, see http://docs.splunk.com/Documentation/Splunk/latest/admin/limitsconf (list_maxsize).
You can test your local limit with this:
| gentimes start=-1 increment=1s | eval foo = starttime % 10000 | stats list(foo) values(foo)
You'll get 50 displayed each, with list having 50 more values and values having 9950 more values using the default limits.conf settings.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
list() does not dedup. Consider this query:
| gentimes start=-1 increment=1h | eval foo=0 | stats list(foo) values(foo)
It yields 24 zeroes for list() and 1 zero for values().
However, by default list() is limited to only yield the first 100 values, see http://docs.splunk.com/Documentation/Splunk/latest/admin/limitsconf (list_maxsize).
You can test your local limit with this:
| gentimes start=-1 increment=1s | eval foo = starttime % 10000 | stats list(foo) values(foo)
You'll get 50 displayed each, with list having 50 more values and values having 9950 more values using the default limits.conf settings.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
good answer!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's one with multivalue string fields:
| gentimes start=-1 increment=1h | eval f1 = starttime % 7200 . "foo" | eval f2 = starttime % 10800 . "foo" | eval f = f1.",".f2 | fields - f1 f2 | makemv f delim="," | stats list(f) values(f)
Does not dedup for me.
Edit: Indeed, transaction can be a bugger.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there a way to get list() finctionality with tstats...In my app we are currently using tstats to read from a Accelerated datamodel, but in one of the situation we need to retrieve multivalued field with sequence of the values intact. Which is possible with list(), But tstats doent support list().
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tstats isn't great with ordering... Ideally, you'd open a new question for this to explore the possibilities and alternatives.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sure I will. Thanks a lot for the response.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dammit. You're right. The transaction command is the one getting me. Need mvlist=t. Apologies. Thanks for the help.
