Splunk Search
Highlighted

What's the difference between chart functions list() and values()? Is there a similar function that doesn't dedup?

Influencer

Both list() and values() return distinct values of an MV field. Although list() claims to return the values in the order received, real world use isn't proving that out. It is also (apparently) lexicographically sorted, contrary to the docs. Is there a function that will return all values, dups and all, in the order of the log entries?

Example:

index=uexlog sid | transaction SID | stats list(uri) as URIs list(rtt) as RTT by SID 

Returns a list of SIDs, each with a list of URIs hit for that session and a list of RTTs. However, because list() dedups, the URIs and RTTs don't match up. And the list of URIs is most definitely in lexicographical order, not the original order of the events as received.

Thanks,
Jon

0 Karma
Highlighted

Re: What's the difference between chart functions list() and values()? Is there a similar function that doesn't dedup?

SplunkTrust
SplunkTrust

list() does not dedup. Consider this query:

| gentimes start=-1 increment=1h | eval foo=0 | stats list(foo) values(foo)

It yields 24 zeroes for list() and 1 zero for values().

However, by default list() is limited to only yield the first 100 values, see http://docs.splunk.com/Documentation/Splunk/latest/admin/limitsconf (list_maxsize).

You can test your local limit with this:

| gentimes start=-1 increment=1s | eval foo = starttime % 10000  | stats list(foo) values(foo)

You'll get 50 displayed each, with list having 50 more values and values having 9950 more values using the default limits.conf settings.

View solution in original post

Highlighted

Re: What's the difference between chart functions list() and values()? Is there a similar function that doesn't dedup?

Influencer

Dammit. You're right. The transaction command is the one getting me. Need mvlist=t. Apologies. Thanks for the help.

Highlighted

Re: What's the difference between chart functions list() and values()? Is there a similar function that doesn't dedup?

SplunkTrust
SplunkTrust

Here's one with multivalue string fields:

| gentimes start=-1 increment=1h | eval f1 = starttime % 7200 . "foo" | eval f2 = starttime % 10800 . "foo" | eval f = f1.",".f2 | fields - f1 f2 | makemv f delim="," | stats list(f) values(f)

Does not dedup for me.

Edit: Indeed, transaction can be a bugger.

0 Karma
Highlighted

Re: What's the difference between chart functions list() and values()? Is there a similar function that doesn't dedup?

Explorer

Is there a way to get list() finctionality with tstats...In my app we are currently using tstats to read from a Accelerated datamodel, but in one of the situation we need to retrieve multivalued field with sequence of the values intact. Which is possible with list(), But tstats doent support list().

0 Karma
Highlighted

Re: What's the difference between chart functions list() and values()? Is there a similar function that doesn't dedup?

SplunkTrust
SplunkTrust

tstats isn't great with ordering... Ideally, you'd open a new question for this to explore the possibilities and alternatives.

0 Karma
Highlighted

Re: What's the difference between chart functions list() and values()? Is there a similar function that doesn't dedup?

Explorer

Sure I will. Thanks a lot for the response.

0 Karma
Highlighted

Re: What's the difference between chart functions list() and values()? Is there a similar function that doesn't dedup?

New Member

good answer!

0 Karma