Re: 'stats' command: limit for values of field 'pa...

harshal_chakran · ‎01-02-2014

Hi,

I have a csv file where I list certain column field using the following search query:

sourcetype=csv| rex field=_raw "(\d+,){2}(?\d+)"|stats list(par_ID) as pID

As the file is very big, the events come to be around 600,000. But in stats list field I can see only limited values(i.e.100), and the remaining got truncated. The warning which I can see in job button is:

Is it a limitation of "stats list" command that only 100 values are shown?How can I see all the values in the list??

somesoni2 · ‎01-03-2014

The command "|stats list(par_ID) as pID" will give all the values for the par_ID field into one single field pID and as your said the no of values could go upto 600,000, which is definitely exceeds the limit of data can be displayed in the single field (1000 bytes).

If you are interested in just listing down the all distinct values for the field par_ID, then I would suggest to use "|stats count by parID | field - count | rename par_ID as pID".

landen99 · ‎08-25-2014

values solved this issue for me as well. values removes duplicate values and sorts the data, so this should be kept in mind when considered this approach.

harshal_chakran · ‎01-06-2014

using "stat values" did the magic!!!

harshal_chakran · ‎01-05-2014

thanks for the help somesoni2.
I have more than 2 variable to show in result.As I am using count command for one variable, i can't write it for another variable in same query. Please help

'stats' command: limit for values of field 'par_ID' reached. Some values may have been truncated or ignored.

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases