Is there a limit of max values in a multi-value field listSummary for
| eventstats list(variable) as listSummary by <group>
Hi @wfskmoney ,
As per the document reference by @kamlesh_vaghela (https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Multivaluefunctions#Description), the list(X) command has a limit of 100 values returned.
Hi @wfskmoney ,
As per the document reference by @kamlesh_vaghela (https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Multivaluefunctions#Description), the list(X) command has a limit of 100 values returned.
yet I noticed that my frequency summaries are accurate even after using lists on aggregated results with more than 100. Does this mean that Splunk in memory still processes all events, just doesnt display them in a table? In my case use mvdedup at the end.
| table contractId amountInCHFCat
| eventstats count as HTamountCounts by contractId amountInCHFCat | eventstats list(amountInCHFCat) as amountLabels, list(HTamountCounts) as HTamountCounts by contractId | eval HTamountCounts=mvzip(amountLabels,HTamountCounts,"|")
| eval amountLabels = mvdedup(amountLabels)
| eval HTamountCounts = mvdedup(HTamountCounts)
Hi @wfskmoney ,
You're better off using values instead of list and dedup if you want unique values of amountInCHFCat.
| table contractId amountInCHFCat
| eventstats count as HTamountCounts by contractId amountInCHFCat
| eventstats values(amountInCHFCat) as amountLabels, values(HTamountCounts) as HTamountCounts by contractId
| eval HTamountCounts=mvzip(amountLabels,HTamountCounts,"|")
| eval amountLabels = mvdedup(amountLabels)
| eval HTamountCounts = mvdedup(HTamountCounts)
Of course, you can use list in addition to values if your mvzip doesn't work the way you want it to after that.
In regards to your other observation, 100 might be the visible display limit, but the other limit in eventstats is memory based (the default is 200MB per search using eventstats). This is usually enough for most applications, but I have seen instances where the memory limit is reached (which you can see as a max_mem message in the search.log for the search job).
thanks, yes I figured in memory it should be fine. So it is possible to use list() if I dont table out
@wfskmoney
This can help you.
https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Multivaluefunctions#Description
however I realized that my frequency counts are correct even after using list aggregation on more than 100 values. Could it be that Splunk in memory processes all the records, just doesnt display them in table in an MV field? I use mvdedup at the end.
| table contractId amountInCHFCat
| eventstats count as HTamountCounts by contractId amountInCHFCat | eventstats list(amountInCHFCat) as amountLabels, list(HTamountCounts) as HTamountCounts by contractId | eval HTamountCounts=mvzip(amountLabels,HTamountCounts,"|")
| eval amountLabels = mvdedup(amountLabels)
| eval HTamountCounts = mvdedup(HTamountCounts)