I'm having problems with getting all the values to display when using this:
|stats count, values(host) as Host, list(Time1), list(Time2) by devtype
It shows me a count of all the hosts for each devtype. There can be hundreds of hosts for each devtype, so it's only displaying the first 100 results for the Time1 and Time2 fields which I know is a limitation for list
but I can't use values
for the time fields because there can be duplicate values and won't work.
Anyone have a suggestion for another way of getting everything to display??
I am also facing same issue, did you find any solution?
Give this a try
your base search |stats count latest(Time1) as Time1 latest(Time2) as Time2 by devtype host
| stats sum(count) as count list(host) as Host list(Time1), list(Time2) by devtype
thanks but that's still limiting to 100 hosts
Values(x) has an implied dedup. List(x) will list all values
LIst(x) has a limit of returning the first 100 - that's the issue at hand
Try this
... | stats count by devtype host Time1 Time2
This isn't quite what I'm looking for.
This results with the devtype being listed for every host. I'm trying to show each devtype once and then show each host and the times for each host.
Not quite what I'm looking for. I'm trying to get each unique devtype to display once and show all the hosts within that location and the times for each host - only there's hundreds of hosts for each devtype:
Example:
devtype host time1 time2
Dell host1 10:00:00 11:00:00
HP host2 10:00:00 10:30:00
host3 12:00:00 13:00:00
host4 12:30:00 14:00:00
IBM host5 07:00:00 08:00:00
host6 07:00:00 08:00:00