Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

stats values() doesn't return all values

jorgeoa
Explorer
‎06-10-2015 01:06 AM

Hello,

I'm new with splunk and I'm trying to get all the different values of a field with stats values() command with results grouped by another field. Here is the query:

src=* | eval src_act=src.".".act | stats values(vendor) as vendors dc(vendor) as num_vendors by src_act | where num_vendors>1

The maximum number of vendors returned by the query is two, but searching with the "view events" link of a result, the real number of different vendors is three or four in some cases.

The same problem occurs using the list() function, it only shows the elements from a maximum of two different vendors.

I tried to modify the list_maxsize param in limits.conf file but it doesn't solve the problem, even with the list() function, no more that 2 different values in "vendors" field.

Anybody can help me?

Thank you very much!

Regards.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jorgeoa
Explorer
‎06-10-2015 02:06 AM

Thanks for the answer fdi01,

The problem was that the field "act" have the same values in lower and upper case, and it seems that the "by src_act" doesn't interprets that cases in the same way as the search events does (search events ignore word case but "by" not).

I solved the problem using lower() in the eval expression:

eval src_act=lower(src.".".act)

View solution in original post

Reply
Solved! Jump to solution
Solution

jorgeoa
Explorer
‎06-10-2015 02:06 AM

Thanks for the answer fdi01,

The problem was that the field "act" have the same values in lower and upper case, and it seems that the "by src_act" doesn't interprets that cases in the same way as the search events does (search events ignore word case but "by" not).

I solved the problem using lower() in the eval expression:

eval src_act=lower(src.".".act)

Reply
Solved! Jump to solution

jeremiahc4
Builder
‎07-15-2015 09:46 AM

You should have accepted fdi01's answer then, instead of posting your own and accepting it.

0 Karma
Reply
Solved! Jump to solution

jorgeoa
Explorer
‎07-15-2015 09:57 AM

Hello jeremiahc4, I appreciate the fdi01's answer but it didn't help me in solving my problem. When I found the real problem and solution by modifying the query, I posted that solution. That's why I marked my explanation as accepted.

0 Karma
Reply
Solved! Jump to solution

fdi01
Motivator
‎06-10-2015 01:43 AM

your Requette is correct also that the results obtained.
you use the where command to filter the results to the output of the stats command.
and also Reassure you that all vendors have a "src_act" because when you write "by src_act" in the command stats you also filter the results.

try like 

src=* | eval src_act=src.".".act | stats values(vendor) as vendors dc(vendor) as num_vendors by src_act

or 

src=* | eval src_act=src.".".act | stats values(vendor) as vendors |...
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top