Splunk Search

eventstats into multi-value list limit of max values

wfskmoney
Path Finder

Is there a limit of max values in a multi-value field listSummary for

| eventstats list(variable) as listSummary by <group> 
0 Karma
1 Solution

jnudell_2
Builder

Hi @wfskmoney ,
As per the document reference by @kamlesh_vaghela (https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Multivaluefunctions#Description), the list(X) command has a limit of 100 values returned.

View solution in original post

jnudell_2
Builder

Hi @wfskmoney ,
As per the document reference by @kamlesh_vaghela (https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Multivaluefunctions#Description), the list(X) command has a limit of 100 values returned.

wfskmoney
Path Finder

yet I noticed that my frequency summaries are accurate even after using lists on aggregated results with more than 100. Does this mean that Splunk in memory still processes all events, just doesnt display them in a table? In my case use mvdedup at the end.

| table contractId amountInCHFCat
| eventstats count as HTamountCounts by contractId amountInCHFCat | eventstats list(amountInCHFCat) as amountLabels, list(HTamountCounts) as HTamountCounts by contractId | eval HTamountCounts=mvzip(amountLabels,HTamountCounts,"|")
| eval amountLabels = mvdedup(amountLabels)
| eval HTamountCounts = mvdedup(HTamountCounts)
0 Karma

jnudell_2
Builder

Hi @wfskmoney ,
You're better off using values instead of list and dedup if you want unique values of amountInCHFCat.

| table contractId amountInCHFCat
| eventstats count as HTamountCounts by contractId amountInCHFCat
| eventstats values(amountInCHFCat) as amountLabels, values(HTamountCounts) as HTamountCounts by contractId
| eval HTamountCounts=mvzip(amountLabels,HTamountCounts,"|")
| eval amountLabels = mvdedup(amountLabels)
| eval HTamountCounts = mvdedup(HTamountCounts)

Of course, you can use list in addition to values if your mvzip doesn't work the way you want it to after that.
In regards to your other observation, 100 might be the visible display limit, but the other limit in eventstats is memory based (the default is 200MB per search using eventstats). This is usually enough for most applications, but I have seen instances where the memory limit is reached (which you can see as a max_mem message in the search.log for the search job).

0 Karma

wfskmoney
Path Finder

thanks, yes I figured in memory it should be fine. So it is possible to use list() if I dont table out

0 Karma

wfskmoney
Path Finder

however I realized that my frequency counts are correct even after using list aggregation on more than 100 values. Could it be that Splunk in memory processes all the records, just doesnt display them in table in an MV field? I use mvdedup at the end.

    | table contractId amountInCHFCat
    | eventstats count as HTamountCounts by contractId amountInCHFCat | eventstats list(amountInCHFCat) as amountLabels, list(HTamountCounts) as HTamountCounts by contractId | eval HTamountCounts=mvzip(amountLabels,HTamountCounts,"|")
    | eval amountLabels = mvdedup(amountLabels)
    | eval HTamountCounts = mvdedup(HTamountCounts)
0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...