I have LI version 4.3 installed. I have an interactive search where I want to see the unique count of hostname as a single value. I get the metric, and this is good! Is there a way to export the list of hostnames that determine the metric?
Hi there!
You have to run another query to get the list that you want once u have the data, you can then export it.
Please see the screenshot below:
| Screenshot |
|---|
And my notes on the query are: 1. [bottom left] -> "unique count of hostname" & "group by hostname" 2. The chart area shows the hostnames that you want to get 3. [bottom right] -> export -> export chart data -> as CSV Does this answer your question ? |
And another screenshot that shows that "Non-time series" and GROUP BY "hostname" should be selected in the drop down list
Yes, and this one - make sure you select "Table" as the chart type to see the data in tabular form
I really do like your suggestion, but my results have been limited. In "unique count of hostname" + "as single value" shows 7448, and this is over the last 7 days of data.
I reset, and I try "unique count of hostname" + "over time grouped by hostname", time grouping 1 week and the chart type is a table. I export the Chart Data, and I only receive an export of 2K lines.
Do you know a way around this limitation?
I believe that LI has a limit of 2K for the table.
Can you decrease the timespan from 7 days to say 1 day and check the results ?
Actually not the table's limitation but a limitation on how many entries LI can export as csv
Thank you everyone for the input and suggestions. I believe I have hit another limitation of the product.
I can reduce the time period, but this causes more manual work for me. I need to validate log reception from 16K devices. The devices will log at various times, so the longer the timespan the better. The product should allow for a "default" set of limits, and the product should allow users to increase the values.
As noted, it appears that I am hitting two different issues. One is the 2k limit on the table, and I would also like the ability to export more than 20K events. I voted for this idea at URL:
https://loginsight.ideascale.com/a/dtd/Enhancement-Export-Raw-Events/47454-24427
That appears to be the case. I believe that those limits will be addressed soon as new feature requests/enhancements!
