https://community.splunk.com/t5/Splunk-Enterprise/Top-n-plus-others/m-p/507666#M2451 <P>Hi,<BR />Thanks for your response. I forgot about the limit=n in the timechart command. Thanks <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR />To complement your response I just added this after the timeshare command<BR /><BR />| timechart span=1d limit=1000 sum(count) by text&nbsp;<BR />| transpose<BR />| search NOT column=_span NOT column=_time<BR />| rename "row 1" as count<BR />| sort - count<BR /><BR /></P> Mon, 06 Jul 2020 20:04:13 GMT lpolo 2020-07-06T20:04:13Z https://community.splunk.com/t5/Splunk-Enterprise/Top-n-plus-others/m-p/507655#M2449 <P>Let's say we have the following log events:<BR /><BR />time1 text=g &nbsp;count=82<BR />time2 text=f &nbsp;count=80<BR />time3 text=c &nbsp;count=14<BR />time4 text=e &nbsp;count=13<BR />time5 text=b &nbsp;count=11<BR />time6 text=a &nbsp;count=10<BR />time7 text=d &nbsp;count=6<BR /><BR />The following query will get the Top N results:<BR /><BR />earliest=time1 latest=time7 index=blabla |<BR />stat sum(count) as count by text<BR /><BR />Result:<BR />text | count<BR />g &nbsp; 82<BR />f &nbsp; 80<BR />c &nbsp;14<BR />e &nbsp;13<BR />b &nbsp;11<BR />a &nbsp;10<BR />d &nbsp;6<BR /><BR />I need a query to get the Top 3 plus others result example:<BR /><BR />text | count<BR />g &nbsp; 82<BR />f &nbsp; 80<BR />c &nbsp;14<BR />others 40<BR /><BR /></P> Mon, 06 Jul 2020 18:54:52 GMT https://community.splunk.com/t5/Splunk-Enterprise/Top-n-plus-others/m-p/507655#M2449 lpolo 2020-07-06T18:54:52Z https://community.splunk.com/t5/Splunk-Enterprise/Top-n-plus-others/m-p/507659#M2450 <P>See if this helps.</P><LI-CODE lang="markup">| makeresults | eval data="time1 text=g count=82|time2 text=f count=80|time3 text=c count=14|time4 text=e count=13|time5 text=b count=11|time6 text=a count=10|time7 text=d count=6" | eval data=split(data,"|") | mvexpand data | eval _raw=data | extract pairdelim=" " kvdelim="=" `comment("Above just sets up test data")` `comment("Get the top 3 counts and put everything else in 'other'")` | timechart span=1d limit=3 useother=t sum(count) as count by text `comment("Throw out fields we don't need")` | fields - _* `comment("Rotate the results")` | transpose column_name="text" header_field=count | rename "row 1" as count</LI-CODE> Mon, 06 Jul 2020 19:35:02 GMT https://community.splunk.com/t5/Splunk-Enterprise/Top-n-plus-others/m-p/507659#M2450 richgalloway 2020-07-06T19:35:02Z https://community.splunk.com/t5/Splunk-Enterprise/Top-n-plus-others/m-p/507666#M2451 <P>Hi,<BR />Thanks for your response. I forgot about the limit=n in the timechart command. Thanks <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR />To complement your response I just added this after the timeshare command<BR /><BR />| timechart span=1d limit=1000 sum(count) by text&nbsp;<BR />| transpose<BR />| search NOT column=_span NOT column=_time<BR />| rename "row 1" as count<BR />| sort - count<BR /><BR /></P> Mon, 06 Jul 2020 20:04:13 GMT https://community.splunk.com/t5/Splunk-Enterprise/Top-n-plus-others/m-p/507666#M2451 lpolo 2020-07-06T20:04:13Z