Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I limit the results of a stats values() function?

thisissplunk
Builder
‎05-04-2016 10:13 AM

I want to list about 10 unique values of a certain field in a stats command. I cannot figure out how to do this. I figured stats values() would work, and it does... but I'm getting hundred of thousands of results. I only want the first ten!

Of course, a top command or simple head command won't work because I need the values of a field, keyed off of another field.

Example:

index=* | stats values(IPs) count by hostname

I want the first ten IP values for each hostname. NOT all (hundreds) of them! Imagine a crazy dhcp scenario. I'm also open to other ways of displaying the data.

Reply
1 Solution
Solved! Jump to solution
Solution

thisissplunk
Builder
‎05-04-2016 10:33 AM

I've figured it out. You need to use a mvindex command to only show say, 1 through 10 of the values() results:

| stats values(IP) AS unique_ip_list_sample dc(IP) AS actual_unique_ip_count count as events by hostname 
| eval unique_ip_list_sample=mvindex(unique_ip_value_sample, 0, 10)
| sort -events

View solution in original post

Reply
Solved! Jump to solution

pj
Contributor
‎07-08-2016 12:05 PM

If you have multiple fields that you want to chop (i.e. to show a sample across all) you can also use something like this:

| stats values(*) as *
| foreach * [eval <<FIELD>>=mvindex('<<FIELD>>',0,10)]
Reply
Solved! Jump to solution

benton
Path Finder
‎10-31-2017 07:40 PM

That's clean! Here's a small enhancement:

| foreach * [eval <<FIELD>>=if(mvcount('<<FIELD>>')>10, mvappend(mvindex('<<FIELD>>',0,9),"..."), '<<FIELD>>')]

This will display the first 10 values and if there are more than that it will display a "..." making it clear that the list was truncated.

Reply
Solved! Jump to solution

kartikaykv1
Explorer
‎09-19-2023 09:56 AM

Excellent Job!!!

0 Karma
Reply
Solved! Jump to solution

CSmoke
Path Finder
‎10-10-2017 04:15 AM

Thanks, the search does exactly what I needed.

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎05-04-2016 10:34 AM

Try this
index=* | stats values(IPs) a ip by hostname | mvexpand ip | streamstats count by host | where count<=10 | stats values(ip) as IPs by host

Reply
Solved! Jump to solution

thisissplunk
Builder
‎05-04-2016 10:36 AM

That's what I was thinking initially, but I don't want to actually filter any events out, which is what the "where" does.

0 Karma
Reply
Solved! Jump to solution
Solution

thisissplunk
Builder
‎05-04-2016 10:33 AM

I've figured it out. You need to use a mvindex command to only show say, 1 through 10 of the values() results:

| stats values(IP) AS unique_ip_list_sample dc(IP) AS actual_unique_ip_count count as events by hostname 
| eval unique_ip_list_sample=mvindex(unique_ip_value_sample, 0, 10)
| sort -events
Reply
Solved! Jump to solution

sjbriggs
Path Finder
‎04-12-2019 12:59 PM

Great solution. I was able to get my top 10 bandwidth users by business location and URL after a few modifications.

Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...