Splunk® Enterprise

Search Reference

Splunk Enterprise version 7.0 is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Multivalue stats and chart functions

list(X)

Description

Returns a list of up to 100 values of the field X as a multivalue entry. The order of the values reflects the order of input events.

Usage

  • If more than 100 values are in field X, only the first 100 are returned.
  • This function processes field values as strings.
  • You can use the list(X) function with the chart, stats, and timechart commands.

Basic examples

To illustrate what the list function does, let's start by generating a few simple results. Use the makeresults and streamstats commands to generate a set of results that are simply timestamps and a count of the results which are used as row numbers. For example:

| makeresults count=1000 | streamstats count AS rowNumber

This image shows the results of the search. There are two columns in the results. The first column shows timestamp values. The second column shows numbers starting from 1. In effect the second columns shows row numbers for each result.

Add the stats command with the list function to return the numbers in ascending order.

| makeresults count=1000 | streamstats count AS rowNumber | stats list(rowNumber) AS numbers

The following image shows the results.

This image shows one column, labeled "numbers", which are the result numbers in ascending order. For example: 1, 2, 3, 4, and so forth.

Compare these results with the results returned when the values function is used.

values(X)

Description

Returns the list of all distinct values of the field X as a multivalue entry. The order of the values is lexicographical.

Usage

  • By default there is no limit to the number of values returned. Users with the appropriate permissions can specify a limit in the limits.conf file. You specify the limit in the [stats | sistats] stanza using the maxvalues setting.
  • This function processes field values as strings.
  • You can use the values(X) function with the chart, stats, and timechart commands.

Basic examples

To illustrate what the values function does, let's start by generating a few simple results. Use the makeresults and streamstats commands to generate a set of results that are simply timestamps and a count of the results which are used as row numbers. For example:

| makeresults count=1000 | streamstats count AS rowNumber

This image shows the results of the search. There are two columns in the results. The first column shows timestamp values. The second column shows numbers starting from 1. In effect the second columns shows row numbers for each result.

Add the stats command with thevalues function to return the numbers in lexicographical order.

| makeresults count=1000 | streamstats count AS rowNumber | stats values(rowNumber) AS numbers

borderThis image shows one column, labeled "numbers", which are the result numbers in lexicographical order. For example: 1, 10, 100, 1000, 101, 102, 103, 104, 105, 106, 107, 108, 109, 11, 110, and so forth.]

Compare these results with the results returned when the list function is used.

Last modified on 17 March, 2018
Event order functions   Time functions

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters