Splunk® Enterprise

Search Reference

Download manual as PDF

Download topic as PDF

Multivalue stats and chart functions

list(X)

Description

Returns a list of up to 100 values of the field X as a multivalue entry. The order of the values reflects the order of input events.

Usage

  • If more than 100 values are in field X, only the first 100 are returned.
  • This function processes field values as strings.
  • You can use the list(X) function with the chart, stats, and timechart commands.

Basic examples

To illustrate what the list function does, let's start by generating a few simple results. Use the makeresults and streamstats commands to generate a set of results that are simply timestamps and a count of the results which are used as row numbers. For example:

| makeresults count=1000 | streamstats count AS rowNumber

This image shows the results of the search. There are two columns in the results. The first column shows timestamp values. The second column shows numbers starting from 1. In effect the second columns shows row numbers for each result.

Add the stats command with the list function to return the numbers in ascending order.

| makeresults count=1000 | streamstats count AS rowNumber | stats list(rowNumber) AS numbers

The following image shows the results.

This image shows one column, labeled "numbers", which are the result numbers in ascending order. For example: 1, 2, 3, 4, and so forth.

Compare these results with the results returned when the values function is used.

values(X)

Description

Returns the list of all distinct values of the field X as a multivalue entry. The order of the values is lexicographical.

Usage

  • By default there is no limit to the number of values returned. Users with the appropriate permissions can specify a limit in the limits.conf file. You specify the limit in the [stats | sistats] stanza using the maxvalues setting.
  • This function processes field values as strings.
  • You can use the values(X) function with the chart, stats, and timechart commands.

Basic examples

To illustrate what the values function does, let's start by generating a few simple results. Use the makeresults and streamstats commands to generate a set of results that are simply timestamps and a count of the results which are used as row numbers. For example:

| makeresults count=1000 | streamstats count AS rowNumber

This image shows the results of the search. There are two columns in the results. The first column shows timestamp values. The second column shows numbers starting from 1. In effect the second columns shows row numbers for each result.

Add the stats command with thevalues function to return the numbers in lexicographical order.

| makeresults count=1000 | streamstats count AS rowNumber | stats values(rowNumber) AS numbers

borderThis image shows one column, labeled "numbers", which are the result numbers in lexicographical order. For example: 1, 10, 100, 1000, 101, 102, 103, 104, 105, 106, 107, 108, 109, 11, 110, and so forth.]

Compare these results with the results returned when the list function is used.

PREVIOUS
Event order functions
  NEXT
Time functions

This documentation applies to the following versions of Splunk® Enterprise: 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 7.0.0, 7.0.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters