Delim argument in stats function no longer support...

cycheng · ‎09-11-2013

In http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Stats, I found that there is an optional argument "delim". I tried below searches:

index=my_index | stats values(my_key)

and

index=my_index | stats delim="," values(my_key)

both return a list that split by "\n". Is this delim argument no longer supported?

rturk · ‎09-12-2013

Hi Cycheng - Good question. What is it you're trying to do exactly, because the use of delim in the context of stats isn't immediately clear.

From the documentation:

delim
Syntax: delim=<string>
Description: Used to specify how the values in the list() or values() aggregation are delimited. (default is a single space.)

I can't seem to figure out a search that demonstrates it's function.

These searches give the same results:

index=_internal | stats values(group) AS groups
index=_internal | stats delim="_" values(group) AS groups

While the following, when used with the mvcombine command, I think it does what you're looking for (truncated):

index=_internal | stats delim="_" values(group) AS groups | mvcombine groups

So I think the delim command only does anything useful when further processing is performed on the command (in this case by mvcombine)

index=_internal | stats delim=", " values(group) AS groups | mvcombine groups

I hope this helps, and if anyone else wants to chime in, I'm all ears!

Disclaimer: I may be going about this the wrong way, as I'm essentially using the "poke it with a stick and see what it does" approach...

Delim argument in stats function no longer supported?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases