Splunk Search

stats values() doesn't return all values

jorgeoa
Explorer

Hello,

I'm new with splunk and I'm trying to get all the different values of a field with stats values() command with results grouped by another field. Here is the query:

src=* | eval src_act=src.".".act | stats values(vendor) as vendors dc(vendor) as num_vendors by src_act | where num_vendors>1

The maximum number of vendors returned by the query is two, but searching with the "view events" link of a result, the real number of different vendors is three or four in some cases.

The same problem occurs using the list() function, it only shows the elements from a maximum of two different vendors.

I tried to modify the list_maxsize param in limits.conf file but it doesn't solve the problem, even with the list() function, no more that 2 different values in "vendors" field.

Anybody can help me?

Thank you very much!

Regards.

Tags (2)
0 Karma
1 Solution

jorgeoa
Explorer

Thanks for the answer fdi01,

The problem was that the field "act" have the same values in lower and upper case, and it seems that the "by src_act" doesn't interprets that cases in the same way as the search events does (search events ignore word case but "by" not).

I solved the problem using lower() in the eval expression:

eval src_act=lower(src.".".act)

View solution in original post

jorgeoa
Explorer

Thanks for the answer fdi01,

The problem was that the field "act" have the same values in lower and upper case, and it seems that the "by src_act" doesn't interprets that cases in the same way as the search events does (search events ignore word case but "by" not).

I solved the problem using lower() in the eval expression:

eval src_act=lower(src.".".act)

jeremiahc4
Builder

You should have accepted fdi01's answer then, instead of posting your own and accepting it.

0 Karma

jorgeoa
Explorer

Hello jeremiahc4, I appreciate the fdi01's answer but it didn't help me in solving my problem. When I found the real problem and solution by modifying the query, I posted that solution. That's why I marked my explanation as accepted.

0 Karma

fdi01
Motivator

your Requette is correct also that the results obtained.
you use the where command to filter the results to the output of the stats command.
and also Reassure you that all vendors have a "src_act" because when you write "by src_act" in the command stats you also filter the results.

try like

src=* | eval src_act=src.".".act | stats values(vendor) as vendors dc(vendor) as num_vendors by src_act 

or

src=* | eval src_act=src.".".act | stats values(vendor) as vendors |...
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...