Splunk Search

stats values() doesn't return all values

Explorer

Hello,

I'm new with splunk and I'm trying to get all the different values of a field with stats values() command with results grouped by another field. Here is the query:

src=* | eval srcact=src.".".act | stats values(vendor) as vendors dc(vendor) as numvendors by srcact | where numvendors>1

The maximum number of vendors returned by the query is two, but searching with the "view events" link of a result, the real number of different vendors is three or four in some cases.

The same problem occurs using the list() function, it only shows the elements from a maximum of two different vendors.

I tried to modify the list_maxsize param in limits.conf file but it doesn't solve the problem, even with the list() function, no more that 2 different values in "vendors" field.

Anybody can help me?

Thank you very much!

Regards.

Tags (2)
0 Karma
1 Solution

Explorer

Thanks for the answer fdi01,

The problem was that the field "act" have the same values in lower and upper case, and it seems that the "by src_act" doesn't interprets that cases in the same way as the search events does (search events ignore word case but "by" not).

I solved the problem using lower() in the eval expression:

eval src_act=lower(src.".".act)

View solution in original post

Explorer

Thanks for the answer fdi01,

The problem was that the field "act" have the same values in lower and upper case, and it seems that the "by src_act" doesn't interprets that cases in the same way as the search events does (search events ignore word case but "by" not).

I solved the problem using lower() in the eval expression:

eval src_act=lower(src.".".act)

View solution in original post

Builder

You should have accepted fdi01's answer then, instead of posting your own and accepting it.

0 Karma

Explorer

Hello jeremiahc4, I appreciate the fdi01's answer but it didn't help me in solving my problem. When I found the real problem and solution by modifying the query, I posted that solution. That's why I marked my explanation as accepted.

0 Karma

Motivator

your Requette is correct also that the results obtained.
you use the where command to filter the results to the output of the stats command.
and also Reassure you that all vendors have a "srcact" because when you write "by srcact" in the command stats you also filter the results.

try like

src=* | eval src_act=src.".".act | stats values(vendor) as vendors dc(vendor) as num_vendors by src_act 

or

src=* | eval src_act=src.".".act | stats values(vendor) as vendors |...