https://community.splunk.com/t5/Splunk-Search/extract-top-ten-values/m-p/324038#M161795 <P>Hello,</P> <P>The most straight forward way to handle this would be to use the top command. </P> <P>A couple of things to note. You'll want to wildcard your sourcetype so that you do indeed pickup the wineventlog sourcetypes (i.e. sourcetype="wineventlog:*"). In addition, you'll want to wrap the OR condition on the Type fields in parenthesis as such (Type="Critique" OR Type="Avertissement")</P> <P>SPL...</P> <P>index="wineventlog" sourcetype="wineventlog:*" SourceName="" (Type="Critique" OR Type="Avertissement") <BR /> | dedup _time SourceName <BR /> | top limit=10 SourceName</P> Mon, 09 Apr 2018 18:28:35 GMT tpeveler_splunk 2018-04-09T18:28:35Z https://community.splunk.com/t5/Splunk-Search/extract-top-ten-values/m-p/324035#M161792 <P>hi<BR /> i use this code<BR /> index="wineventlog" sourcetype="wineventlog:<EM>" SourceName="</EM>" Type="Critique" OR Type="Avertissement" | dedup _time SourceName | table _time SourceName | stats count by SourceName</P> <P>and i would like to keep only the ten important values<BR /> how to do it please???</P> Mon, 09 Apr 2018 15:02:30 GMT https://community.splunk.com/t5/Splunk-Search/extract-top-ten-values/m-p/324035#M161792 jip31jip31 2018-04-09T15:02:30Z https://community.splunk.com/t5/Splunk-Search/extract-top-ten-values/m-p/324036#M161793 <P>use the <CODE>top</CODE> command? <CODE>... | top limit=10 SourceName</CODE><BR /> or maybe <CODE>sort</CODE> command <CODE>... | sort 10 - count</CODE></P> Mon, 09 Apr 2018 15:55:27 GMT https://community.splunk.com/t5/Splunk-Search/extract-top-ten-values/m-p/324036#M161793 adonio 2018-04-09T15:55:27Z https://community.splunk.com/t5/Splunk-Search/extract-top-ten-values/m-p/324037#M161794 <PRE><CODE>index="wineventlog" sourcetype="wineventlog:" SourceName="" Type="Critique" OR Type="Avertissement" | dedup _time SourceName | table _time SourceName | stats count by SourceName | sort - count limit=10 </CODE></PRE> <P>Sort by the field you want the top 10 of. (I used your count)<BR /> Then set limit= for how many you want to keep. </P> Mon, 09 Apr 2018 17:48:08 GMT https://community.splunk.com/t5/Splunk-Search/extract-top-ten-values/m-p/324037#M161794 kmaron 2018-04-09T17:48:08Z https://community.splunk.com/t5/Splunk-Search/extract-top-ten-values/m-p/324038#M161795 <P>Hello,</P> <P>The most straight forward way to handle this would be to use the top command. </P> <P>A couple of things to note. You'll want to wildcard your sourcetype so that you do indeed pickup the wineventlog sourcetypes (i.e. sourcetype="wineventlog:*"). In addition, you'll want to wrap the OR condition on the Type fields in parenthesis as such (Type="Critique" OR Type="Avertissement")</P> <P>SPL...</P> <P>index="wineventlog" sourcetype="wineventlog:*" SourceName="" (Type="Critique" OR Type="Avertissement") <BR /> | dedup _time SourceName <BR /> | top limit=10 SourceName</P> Mon, 09 Apr 2018 18:28:35 GMT https://community.splunk.com/t5/Splunk-Search/extract-top-ten-values/m-p/324038#M161795 tpeveler_splunk 2018-04-09T18:28:35Z