Splunk Search

'stats' command: limit for values of field 'par_ID' reached. Some values may have been truncated or ignored.

harshal_chakran
Builder

Hi,

I have a csv file where I list certain column field using the following search query:

sourcetype=csv| rex field=_raw "(\d+,){2}(?\d+)"|stats list(par_ID) as pID

As the file is very big, the events come to be around 600,000. But in stats list field I can see only limited values(i.e.100), and the remaining got truncated. The warning which I can see in job button is:
alt text

Is it a limitation of "stats list" command that only 100 values are shown?How can I see all the values in the list??

Tags (4)
0 Karma

somesoni2
Revered Legend

The command "|stats list(par_ID) as pID" will give all the values for the par_ID field into one single field pID and as your said the no of values could go upto 600,000, which is definitely exceeds the limit of data can be displayed in the single field (1000 bytes).

If you are interested in just listing down the all distinct values for the field par_ID, then I would suggest to use "|stats count by parID | field - count | rename par_ID as pID".

landen99
Motivator

values solved this issue for me as well. values removes duplicate values and sorts the data, so this should be kept in mind when considered this approach.

0 Karma

harshal_chakran
Builder

using "stat values" did the magic!!!

0 Karma

harshal_chakran
Builder

thanks for the help somesoni2.
I have more than 2 variable to show in result.As I am using count command for one variable, i can't write it for another variable in same query. Please help

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!