Splunk Search

How can we limit the tstats record?

sumitnagal
Path Finder

I am using tstats command from a while, right now we want to make tstats command to limit record as we are using in kubernetes and there are way too many events. I have looked around and don't see limit option. though as a work around I use `| head 100` to limit but that won't stop processing the main search query.

Labels (1)
0 Karma

jonaclough
Path Finder

If you want to filter by column try something like this

| tstats allow_old_summaries=t summariesonly=t 
count min(_time) as first_time max(_time) as last_time 
from datamodel=Network_Traffic 
where All_Traffic.action="allowed"
by All_Traffic.dvc All_Traffic.rule All_Traffic.src_ip All_Traffic.dest All_Traffic.dest_port All_Traffic.action All_Traffic.transport
| rename All_Traffic.* as * 
| sort 0 - last_time
| convert ctime(first_time) ctime(last_time)
| fields dvc rule src_ip dest dest_port transport count first_time last_time action
0 Karma

LIS
Engager

Maybe it is correct from theoretical side, but it was checked in a practical way:

In comparison query with prestats for the same data and time frame takes 0.874 seconds

| tstats prestats=t count(your field) where index=index by field

| head 50

| stats count(your field) by field

This search has completed and has returned 5 results by scanning 6,460 events in 0.874 seconds

 

While without prestats - > 6.305 seconds

| tstats count(your field) where index=index by field

| head 50

This search has completed and has returned 5 results by scanning 76,972 events in 6.305 seconds

 

richgalloway
SplunkTrust
SplunkTrust

Interesting!  Thanks for sharing!

---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust
The short answer is you can't.
You can limit the tstats results with the where clause, but there's no way to stop it after a certain number of results, just like with the implicit search command in non-tstats queries.
---
If this reply helps you, Karma would be appreciated.
0 Karma

LIS
Engager

This is possible with argument prestats=t and then for example command stats:

| tstats prestats=t count(your field) where index=index by field

| head 50

| stats count(your field) by field

 

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

That will limit the number of results, but as the OP says, it has no effect on the number of events read from disk.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...