2

I have a splunk query which returns a list of values for a particular field. The number of values can be far more than 100 but the number of results returned are limited to 100 rows and the warning that I get is this-

'stats' command: limit for values of field 'FieldX' reached. Some values may have been truncated or ignored.

The query in question can be as simple as this -

| stats list(FieldX)

Please note that I can't use table FieldX since I want the results to be grouped based on another field. Also I can't use stats values(FieldX) since I am extracting 2 fields from an event and these fields have one to one mapping, if I use stats values(), the order is messed up.

I tried stats list(values) limit=500 but it isn't helping. How can I have all the results returned?

Kunal gupta
  • 481
  • 2
  • 7
  • 19
  • What is your *actual* search now? Do you have any sample data? It's *likely* there's another way to do what you're trying to accomplish. – warren Sep 08 '20 at 18:29
  • The search looks like this- | stats list(Field1) list(Field2) by Field3 Field4. field1 and field2 have one to one mapping in events and i want to maintain it. – Kunal gupta Sep 08 '20 at 19:25
  • Original question- https://stackoverflow.com/questions/63689944/group-events-by-multiple-fields-in-splunk – Kunal gupta Sep 08 '20 at 19:26
  • My [answer](https://stackoverflow.com/a/63800801/4418) on your first [question](https://stackoverflow.com/q/63689944/4418) *should* handle this one, too – warren Sep 08 '20 at 20:01

4 Answers4

3

The only option if you have a hard requirement to use list(values) logic is to increase the value list_maxsize from limits.conf. See the complete limits.conf manual entry here: https://docs.splunk.com/Documentation/Splunk/latest/Admin/limitsconf#.5Bstats.7Csistats.5D

list_maxsize is a system wide configuration so you'll have to:

  • establish a console connection to the Splunk instance
  • edit the limits.conf changing list_maxsize = 500
  • restart splunk process
list_maxsize = <integer>
* Maximum number of list items to emit when using the list() function
  stats/sistats
* Default: 100
warren
  • 32,620
  • 21
  • 85
  • 124
Honky Donkey
  • 611
  • 3
  • 10
1

You can try setting the list_maxsize attribute in limits.conf to a higher value. Be warned that this will cause the query to use more memory. Remember to restart Splunk after changing the config file.

RichG
  • 9,063
  • 2
  • 18
  • 29
1

Check my answer to your other, related question

Quoting the search from it:

index=ndx sourcetype=srctp Location=* Client=* TransactionNumber=* TransactionTime=*
| eval TNTT=TransactionNumber+" sep "+TransactionTime
| stats values(TNTT) as TNTT by Location Client
| rex field=TNTT "(?<TransactionNumber>\S+) sep (?<TransactionTime>.+)"
| table Location Client TransactionNumber TransactionTime

Note: you may need to reorder the eval line with which fields are added when for sorting via values() in the |stats line (and reorder the corresponding rex order, too)

warren
  • 32,620
  • 21
  • 85
  • 124
0

What you could also do in your sub search is:

| table FieldX | mvcombine FieldX

That way, you actually create a stats list(FieldX), without using stats.

H. van Straten
  • 1