Splunk Search
Highlighted

eventstats into multi-value list limit of max values

Explorer

Is there a limit of max values in a multi-value field listSummary for

| eventstats list(variable) as listSummary by <group> 
0 Karma
Highlighted

Re: eventstats into multi-value list limit of max values

SplunkTrust
SplunkTrust
Highlighted

Re: eventstats into multi-value list limit of max values

Explorer

however I realized that my frequency counts are correct even after using list aggregation on more than 100 values. Could it be that Splunk in memory processes all the records, just doesnt display them in table in an MV field? I use mvdedup at the end.

    | table contractId amountInCHFCat
    | eventstats count as HTamountCounts by contractId amountInCHFCat | eventstats list(amountInCHFCat) as amountLabels, list(HTamountCounts) as HTamountCounts by contractId | eval HTamountCounts=mvzip(amountLabels,HTamountCounts,"|")
    | eval amountLabels = mvdedup(amountLabels)
    | eval HTamountCounts = mvdedup(HTamountCounts)
0 Karma
Highlighted

Re: eventstats into multi-value list limit of max values

Builder

Hi @wfskmoney ,
As per the document reference by @kamlesh_vaghela (https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Multivaluefunctions#Description), the list(X) command has a limit of 100 values returned.

View solution in original post

Highlighted

Re: eventstats into multi-value list limit of max values

Explorer

yet I noticed that my frequency summaries are accurate even after using lists on aggregated results with more than 100. Does this mean that Splunk in memory still processes all events, just doesnt display them in a table? In my case use mvdedup at the end.

| table contractId amountInCHFCat
| eventstats count as HTamountCounts by contractId amountInCHFCat | eventstats list(amountInCHFCat) as amountLabels, list(HTamountCounts) as HTamountCounts by contractId | eval HTamountCounts=mvzip(amountLabels,HTamountCounts,"|")
| eval amountLabels = mvdedup(amountLabels)
| eval HTamountCounts = mvdedup(HTamountCounts)
0 Karma
Highlighted

Re: eventstats into multi-value list limit of max values

Builder

Hi @wfskmoney ,
You're better off using values instead of list and dedup if you want unique values of amountInCHFCat.

| table contractId amountInCHFCat
| eventstats count as HTamountCounts by contractId amountInCHFCat
| eventstats values(amountInCHFCat) as amountLabels, values(HTamountCounts) as HTamountCounts by contractId
| eval HTamountCounts=mvzip(amountLabels,HTamountCounts,"|")
| eval amountLabels = mvdedup(amountLabels)
| eval HTamountCounts = mvdedup(HTamountCounts)

Of course, you can use list in addition to values if your mvzip doesn't work the way you want it to after that.
In regards to your other observation, 100 might be the visible display limit, but the other limit in eventstats is memory based (the default is 200MB per search using eventstats). This is usually enough for most applications, but I have seen instances where the memory limit is reached (which you can see as a max_mem message in the search.log for the search job).

0 Karma
Highlighted

Re: eventstats into multi-value list limit of max values

Explorer

thanks, yes I figured in memory it should be fine. So it is possible to use list() if I dont table out

0 Karma