Splunk Search

Is there an alternative to the stats list and values functions to get my expected result?

splunkin11
Path Finder

I'm having problems with getting all the values to display when using this:

|stats count, values(host) as Host, list(Time1), list(Time2) by devtype

It shows me a count of all the hosts for each devtype. There can be hundreds of hosts for each devtype, so it's only displaying the first 100 results for the Time1 and Time2 fields which I know is a limitation for list but I can't use values for the time fields because there can be duplicate values and won't work.

Anyone have a suggestion for another way of getting everything to display??

sindhoo
Engager

I am also facing same issue, did you find any solution?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

your base search |stats count latest(Time1) as Time1 latest(Time2) as Time2 by devtype host 
| stats sum(count) as count list(host) as Host list(Time1), list(Time2) by devtype
0 Karma

splunkin11
Path Finder

thanks but that's still limiting to 100 hosts

0 Karma

dbcase
Motivator

Values(x) has an implied dedup. List(x) will list all values

0 Karma

splunkin11
Path Finder

LIst(x) has a limit of returning the first 100 - that's the issue at hand

0 Karma

sundareshr
Legend

Try this

... | stats count by devtype host Time1 Time2 

splunkin11
Path Finder

This isn't quite what I'm looking for.
This results with the devtype being listed for every host. I'm trying to show each devtype once and then show each host and the times for each host.

0 Karma

splunkin11
Path Finder

Not quite what I'm looking for. I'm trying to get each unique devtype to display once and show all the hosts within that location and the times for each host - only there's hundreds of hosts for each devtype:

Example:
devtype host time1 time2
Dell host1 10:00:00 11:00:00
HP host2 10:00:00 10:30:00
host3 12:00:00 13:00:00
host4 12:30:00 14:00:00
IBM host5 07:00:00 08:00:00
host6 07:00:00 08:00:00

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...