Splunk® Enterprise

Search Reference

Preview features described in this document are provided by Splunk to you "as is" without any warranties, maintenance and support, or service-level commitments. Splunk makes this preview feature available in its sole discretion and may discontinue it at any time. These documents are not yet publicly available and we ask that you keep such information confidential.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Multivalue stats and chart functions

list(X)

Description

Returns a list of up to 100 values of the field X as a multivalue entry. The order of the values reflects the order of input events.

Usage

  • If more than 100 values are in field X, only the first 100 are returned.
  • This function processes field values as strings.
  • You can use the list(X) function with the chart, stats, and timechart commands.

Basic examples

To illustrate what the list function does, let's start by generating a few simple results. Use the makeresults and streamstats commands to generate a set of results that are simply timestamps and a count of the results which are used as row numbers. For example:

| makeresults count=1000 | streamstats count AS rowNumber

This image shows the results of the search. There are two columns in the results. The first column shows timestamp values. The second column shows numbers starting from 1. In effect the second columns shows row numbers for each result.

Add the stats command with the list function to return the numbers in ascending order.

| makeresults count=1000 | streamstats count AS rowNumber | stats list(rowNumber) AS numbers

The following image shows the results.

This image shows one column, labeled "numbers", which are the result numbers in ascending order. For example: 1, 2, 3, 4, and so forth.

Compare these results with the results returned when the values function is used.

values(X)

Description

Returns the list of all distinct values of the field X as a multivalue entry. The order of the values is lexicographical.

Usage

  • By default there is no limit to the number of values returned. Users with the appropriate permissions can specify a limit in the limits.conf file. You specify the limit in the [stats | sistats] stanza using the maxvalues setting.
  • This function processes field values as strings.
  • You can use the values(X) function with the chart, stats, and timechart commands.

Basic examples

To illustrate what the values function does, let's start by generating a few simple results. Use the makeresults and streamstats commands to generate a set of results that are simply timestamps and a count of the results which are used as row numbers. For example:

| makeresults count=1000 | streamstats count AS rowNumber

This image shows the results of the search. There are two columns in the results. The first column shows timestamp values. The second column shows numbers starting from 1. In effect the second columns shows row numbers for each result.

Add the stats command with thevalues function to return the numbers in lexicographical order.

| makeresults count=1000 | streamstats count AS rowNumber | stats values(rowNumber) AS numbers

borderThis image shows one column, labeled "numbers", which are the result numbers in lexicographical order. For example: 1, 10, 100, 1000, 101, 102, 103, 104, 105, 106, 107, 108, 109, 11, 110, and so forth.]

Compare these results with the results returned when the list function is used.

Last modified on 17 March, 2018
Event order functions   Time functions

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters