Splunk Search

eventstats into multi-value list limit of max values

wfskmoney
Path Finder

Is there a limit of max values in a multi-value field listSummary for

| eventstats list(variable) as listSummary by <group> 
0 Karma
1 Solution

jnudell_2
Builder

Hi @wfskmoney ,
As per the document reference by @kamlesh_vaghela (https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Multivaluefunctions#Description), the list(X) command has a limit of 100 values returned.

View solution in original post

jnudell_2
Builder

Hi @wfskmoney ,
As per the document reference by @kamlesh_vaghela (https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Multivaluefunctions#Description), the list(X) command has a limit of 100 values returned.

wfskmoney
Path Finder

yet I noticed that my frequency summaries are accurate even after using lists on aggregated results with more than 100. Does this mean that Splunk in memory still processes all events, just doesnt display them in a table? In my case use mvdedup at the end.

| table contractId amountInCHFCat
| eventstats count as HTamountCounts by contractId amountInCHFCat | eventstats list(amountInCHFCat) as amountLabels, list(HTamountCounts) as HTamountCounts by contractId | eval HTamountCounts=mvzip(amountLabels,HTamountCounts,"|")
| eval amountLabels = mvdedup(amountLabels)
| eval HTamountCounts = mvdedup(HTamountCounts)
0 Karma

jnudell_2
Builder

Hi @wfskmoney ,
You're better off using values instead of list and dedup if you want unique values of amountInCHFCat.

| table contractId amountInCHFCat
| eventstats count as HTamountCounts by contractId amountInCHFCat
| eventstats values(amountInCHFCat) as amountLabels, values(HTamountCounts) as HTamountCounts by contractId
| eval HTamountCounts=mvzip(amountLabels,HTamountCounts,"|")
| eval amountLabels = mvdedup(amountLabels)
| eval HTamountCounts = mvdedup(HTamountCounts)

Of course, you can use list in addition to values if your mvzip doesn't work the way you want it to after that.
In regards to your other observation, 100 might be the visible display limit, but the other limit in eventstats is memory based (the default is 200MB per search using eventstats). This is usually enough for most applications, but I have seen instances where the memory limit is reached (which you can see as a max_mem message in the search.log for the search job).

0 Karma

wfskmoney
Path Finder

thanks, yes I figured in memory it should be fine. So it is possible to use list() if I dont table out

0 Karma

wfskmoney
Path Finder

however I realized that my frequency counts are correct even after using list aggregation on more than 100 values. Could it be that Splunk in memory processes all the records, just doesnt display them in table in an MV field? I use mvdedup at the end.

    | table contractId amountInCHFCat
    | eventstats count as HTamountCounts by contractId amountInCHFCat | eventstats list(amountInCHFCat) as amountLabels, list(HTamountCounts) as HTamountCounts by contractId | eval HTamountCounts=mvzip(amountLabels,HTamountCounts,"|")
    | eval amountLabels = mvdedup(amountLabels)
    | eval HTamountCounts = mvdedup(HTamountCounts)
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...