topic How to edit my search to exclude the top 20 noisy results and return the rest? in Splunk Search

How to edit my search to exclude the top 20 noisy results and return the rest?

phant0mgh0st — Tue, 21 May 2019 13:30:01 GMT

I have a splunk search for a list of users performing a particular task. I want to exclude the top 20 noisy results and fetch the other results. How can I do it?
Please help me with this, my sample query is :

source="x"  | stats count by a,b | fields + a,b,count | sort count desc.

Now this generates a big list of results out of which I want to filter out the top 20 noisy results. I tried top 20 followed by the rare command or tail with the reverse command but it doesn't fetch the right results.

Re: How to edit my search to exclude the top 20 noisy results and return the rest?

KailA — Tue, 21 May 2019 15:42:12 GMT

Hello,

After sorting your data, you can try that :

| streamstats count as nb
| where nb > 20

This will remove the first 20 rows of your table 🙂
Let me know if it helps you.

Re: How to edit my search to exclude the top 20 noisy results and return the rest?

koshyk — Tue, 21 May 2019 15:44:12 GMT

The reason is because, sort limits to 10K results by default settings.
An easier option is to do the limiting before itself

source="x" | top a by b

Re: How to edit my search to exclude the top 20 noisy results and return the rest?

Vijeta — Tue, 21 May 2019 16:04:39 GMT

@phant0mgh0st Try something like below to exclude top 20 noisy results

source="x" | stats count by a,b | fields + a,b,count | sort 0 count desc | streamstats count as id| where id > 20