Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- stats values() doesn't return all values
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I'm new with splunk and I'm trying to get all the different values of a field with stats values() command with results grouped by another field. Here is the query:
src=* | eval src_act=src.".".act | stats values(vendor) as vendors dc(vendor) as num_vendors by src_act | where num_vendors>1
The maximum number of vendors returned by the query is two, but searching with the "view events" link of a result, the real number of different vendors is three or four in some cases.
The same problem occurs using the list() function, it only shows the elements from a maximum of two different vendors.
I tried to modify the list_maxsize param in limits.conf file but it doesn't solve the problem, even with the list() function, no more that 2 different values in "vendors" field.
Anybody can help me?
Thank you very much!
Regards.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the answer fdi01,
The problem was that the field "act" have the same values in lower and upper case, and it seems that the "by src_act" doesn't interprets that cases in the same way as the search events does (search events ignore word case but "by" not).
I solved the problem using lower() in the eval expression:
eval src_act=lower(src.".".act)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the answer fdi01,
The problem was that the field "act" have the same values in lower and upper case, and it seems that the "by src_act" doesn't interprets that cases in the same way as the search events does (search events ignore word case but "by" not).
I solved the problem using lower() in the eval expression:
eval src_act=lower(src.".".act)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should have accepted fdi01's answer then, instead of posting your own and accepting it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello jeremiahc4, I appreciate the fdi01's answer but it didn't help me in solving my problem. When I found the real problem and solution by modifying the query, I posted that solution. That's why I marked my explanation as accepted.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
your Requette is correct also that the results obtained.
you use the where command to filter the results to the output of the stats command.
and also Reassure you that all vendors have a "src_act" because when you write "by src_act" in the command stats you also filter the results.
try like
src=* | eval src_act=src.".".act | stats values(vendor) as vendors dc(vendor) as num_vendors by src_act
or
src=* | eval src_act=src.".".act | stats values(vendor) as vendors |...
Unlock Database Monitoring with Splunk Observability Cloud
Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All
[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk
