I was working with a search similar to:
my_nifty_search_terms | stats distinct_count(field) by date_hour
and noticed that at least one of my counts stopped conveniently at 100,000. Is this perhaps a hard coded limit somewhere?
It is. The limit has been removed in either 4.1.6 or will be removed in 4.2. (Update: limit removed as of 4.1.6.) In the meantime, you can instead do:
my_nifty_search_terms | stats count by field,date_hour | stats count by date_hour
This will not be subject to the limit even in earlier (4.x) versions.
This limit does not exist as of 4.1.6, so you can use distinct_count()
(or dc()
) even if the result would be over 100,000.
In older versions (4.1.5 and down), you can use:
... | stats distinct_count(f)
can be replaced with
... | stats count by f | stats count
and in general
... | stats dc(f) as g by x,y,z,a,...
can be replaced with
... | stats count as g by f,x,y,z,a,... | stats count as g by x,y,z,a,...
It is. The limit has been removed in either 4.1.6 or will be removed in 4.2. (Update: limit removed as of 4.1.6.) In the meantime, you can instead do:
my_nifty_search_terms | stats count by field,date_hour | stats count by date_hour
This will not be subject to the limit even in earlier (4.x) versions.
This limit does not exist as of 4.1.6, so you can use distinct_count()
(or dc()
) even if the result would be over 100,000.
In older versions (4.1.5 and down), you can use:
... | stats distinct_count(f)
can be replaced with
... | stats count by f | stats count
and in general
... | stats dc(f) as g by x,y,z,a,...
can be replaced with
... | stats count as g by f,x,y,z,a,... | stats count as g by x,y,z,a,...