Skip to main content
Sumo Logic

values

The values operator provides all the distinct values of a field. This allows you to quickly identify and understand all the values a field has in your data. Additionally, you have the option to group by other fields of interest.

Syntax

  • values(<field>) [by <group_by_fields>] [as <field_name>]
Response Field

The response field separates each value with a new line character and places them in lexicographical order as follows:

  • Numbers before letters
  • Numbers sorted in ascending based on the value of the first digit
  • Letters sorted in alphabetical order
  • Uppercase before lowercase letters

This is an example of a response field with IP addresses:

values operator response field example.png

Limitation

  • The first 100 distinct values are returned for a field.

Examples

To identify all IP addresses by region.

_sourceCategory=Labs/*
| parse regex "(?<ip_address>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" 
| values(ip_address) by region

To identify all IP addresses and namespaces by region.

To identify all sources by error type in my stack that logged an error in the last 24 hours.

To identify users that logged in from more than one country in the last 24 hours with a list of countries logged in from.

To know if my services have interacted with any known IOC threats.

To understand what ports were scanned or communicated over by one src_ip.