Splunk Search
Highlighted

Why is values(foo) here?

Communicator

Why is values(Authentication.usercategory) here when further down there is "where Authentication.usercategory=default"? The where statement would only show results when Authentication.usercategory=default, but isn't values(Authentication.usercategory) giving a list of all the distinct values of the field "user_category"? So wouldn't there only be one distinct value shown, "default", because that's how the search is filtering it?

| tstats summariesonly max(time) as _time,values(Authentication.usercategory) as usercategory,dc(Authentication.dest) as dc(dest) from datamodel=Authentication where Authentication.usercategory=default by Authentication.user | drop_dm_object_name("Authentication") | sort 100 - time | fields _time,user,usercategory,dc(dest)

Tags (3)
0 Karma
Highlighted

Re: Why is values(foo) here?

SplunkTrust
SplunkTrust

That is correct. The creator of the search may wanted to print the value of Authentication.user_category in the result hence he may've added it. It could be replaced by search like this (use an eval to create a static field).

| tstats summariesonly max(_time) as _time,dc(Authentication.dest) as dc(dest) from datamodel=Authentication where Authentication.user_category=default by Authentication.user | drop_dm_object_name("Authentication") | eval user_category="default" | sort 100 - _time | fields _time,user,user_category,dc(dest)

View solution in original post

Highlighted

Re: Why is values(foo) here?

Champion

You are correct, you will only ever see the user_category with a value of default in the corresponding results. You would get the same result by removing that operator and adding Authentication.user_category to the by clause.

It just carries the filtered value into the results. There are other ways you could do this, this is just one way.