Splunk Search

How can we limit the tstats record?

sumitnagal
Path Finder

I am using tstats command from a while, right now we want to make tstats command to limit record as we are using in kubernetes and there are way too many events. I have looked around and don't see limit option. though as a work around I use `| head 100` to limit but that won't stop processing the main search query.

Labels (1)
0 Karma

jonaclough
Path Finder

If you want to filter by column try something like this

| tstats allow_old_summaries=t summariesonly=t 
count min(_time) as first_time max(_time) as last_time 
from datamodel=Network_Traffic 
where All_Traffic.action="allowed"
by All_Traffic.dvc All_Traffic.rule All_Traffic.src_ip All_Traffic.dest All_Traffic.dest_port All_Traffic.action All_Traffic.transport
| rename All_Traffic.* as * 
| sort 0 - last_time
| convert ctime(first_time) ctime(last_time)
| fields dvc rule src_ip dest dest_port transport count first_time last_time action
0 Karma

LIS
Path Finder

Maybe it is correct from theoretical side, but it was checked in a practical way:

In comparison query with prestats for the same data and time frame takes 0.874 seconds

| tstats prestats=t count(your field) where index=index by field

| head 50

| stats count(your field) by field

This search has completed and has returned 5 results by scanning 6,460 events in 0.874 seconds

 

While without prestats - > 6.305 seconds

| tstats count(your field) where index=index by field

| head 50

This search has completed and has returned 5 results by scanning 76,972 events in 6.305 seconds

 

richgalloway
SplunkTrust
SplunkTrust

Interesting!  Thanks for sharing!

---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust
The short answer is you can't.
You can limit the tstats results with the where clause, but there's no way to stop it after a certain number of results, just like with the implicit search command in non-tstats queries.
---
If this reply helps you, Karma would be appreciated.
0 Karma

LIS
Path Finder

This is possible with argument prestats=t and then for example command stats:

| tstats prestats=t count(your field) where index=index by field

| head 50

| stats count(your field) by field

 

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

That will limit the number of results, but as the OP says, it has no effect on the number of events read from disk.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...