--- id: values title: values Grouping Operator sidebar_label: values slug: /help/docs/search/search-query-language/group-aggregate-operators/values/ canonical: https://www.sumologic.com/help/docs/search/search-query-language/group-aggregate-operators/values/ --- import useBaseUrl from '@docusaurus/useBaseUrl'; The `values` operator provides all the distinct values of a field. This allows you to quickly identify and understand all the values a field has in your data. Additionally, you have the option to group by other fields of interest. ## Syntax `values() [by ] [as ]` ### Response Field The response field separates each value with a new line character and places them in lexicographical order as follows: * Numbers before letters * Numbers sorted in ascending based on the value of the first digit * Letters sorted in alphabetical order * Uppercase before lowercase letters This is an example of a response field with IP addresses: Example of a response field with IP addresses ### Limitation * The first 100 distinct values are returned for a field. ## Examples ### Operational Analytics To identify all IP addresses by region: ```sumo _sourceCategory=Labs/* | parse regex "(?\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | values(ip_address) by region ``` To identify all IP addresses and namespaces by region: ```sumo _sourceCategory=Labs/* | parse regex "(?\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | values(ip_address) as val_ip, values(namespace) as val_namespace by region ``` To identify all sources by error type in my stack that logged an error in the last 24 hours: ```sumo _sourceCategory=prod01* | parse regex "(?i)(?WARN|CRITICAL|ERROR|FATAL)" | toUppercase(log_level) | _sourceCategory as sc | count as errors, values(sc) by log_level ``` To identify users that logged in from more than one country in the last 24 hours with a list of countries logged in from: ```sumo _sc=org-service “login” | parse username | geolookup country on ip=login_ip | count_distinct(country), values(country) by username | where count_distinct > 1 ``` ### Security Analytics To know if my services have interacted with any known IOC threats. ```sumo ...| values(IOC) by src_ip ``` To understand what ports were scanned or communicated over by one `src_ip`. ```sumo _source="PatchingInfo" and _collector="AWS SecurityHub Non Prod" | json field=_raw "port_name" as ports | json field=_raw "src_ip" as src_ip | values(ports) by ami ```