Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can we limit the tstats record?

sumitnagal
Path Finder
‎06-29-2020 02:09 PM

I am using tstats command from a while, right now we want to make tstats command to limit record as we are using in kubernetes and there are way too many events. I have looked around and don't see limit option. though as a work around I use `| head 100` to limit but that won't stop processing the main search query.

Labels (1)
Labels
0 Karma
Reply

jonaclough
Path Finder
‎01-20-2023 02:28 AM

If you want to filter by column try something like this

| tstats allow_old_summaries=t summariesonly=t 
count min(_time) as first_time max(_time) as last_time 
from datamodel=Network_Traffic 
where All_Traffic.action="allowed"
by All_Traffic.dvc All_Traffic.rule All_Traffic.src_ip All_Traffic.dest All_Traffic.dest_port All_Traffic.action All_Traffic.transport
| rename All_Traffic.* as * 
| sort 0 - last_time
| convert ctime(first_time) ctime(last_time)
| fields dvc rule src_ip dest dest_port transport count first_time last_time action
0 Karma
Reply

LIS
Path Finder
‎01-20-2023 12:21 AM

Maybe it is correct from theoretical side, but it was checked in a practical way:

In comparison query with prestats for the same data and time frame takes 0.874 seconds

| tstats prestats=t count(your field) where index=index by field

| head 50

| stats count(your field) by field

This search has completed and has returned 5 results by scanning 6,460 events in 0.874 seconds

 

While without prestats - > 6.305 seconds

| tstats count(your field) where index=index by field

| head 50

This search has completed and has returned 5 results by scanning 76,972 events in 6.305 seconds

 

Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-20-2023 05:43 AM

Interesting!  Thanks for sharing!

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-29-2020 02:53 PM
The short answer is you can't.
You can limit the tstats results with the where clause, but there's no way to stop it after a certain number of results, just like with the implicit search command in non-tstats queries.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

LIS
Path Finder
‎01-19-2023 02:58 PM

This is possible with argument prestats=t and then for example command stats:

| tstats prestats=t count(your field) where index=index by field

| head 50

| stats count(your field) by field

 

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-19-2023 05:01 PM

That will limit the number of results, but as the OP says, it has no effect on the number of events read from disk.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...