https://community.splunk.com/t5/Splunk-Search/How-to-get-top-10-data-source-from-Splunk/m-p/418040#M170807 <P>Hi Kamlesh,</P> <P>Thank you for the immediate response.</P> <P>It worked with the above command. :):)</P> Tue, 11 Jun 2019 06:16:43 GMT corecomputetool 2019-06-11T06:16:43Z https://community.splunk.com/t5/Splunk-Search/How-to-get-top-10-data-source-from-Splunk/m-p/418035#M170802 <P>is this command is correct ?</P> <P>** | chart count by sourcetype | sort count desc*</P> Tue, 11 Jun 2019 05:29:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-top-10-data-source-from-Splunk/m-p/418035#M170802 corecomputetool 2019-06-11T05:29:14Z https://community.splunk.com/t5/Splunk-Search/How-to-get-top-10-data-source-from-Splunk/m-p/418036#M170803 <P>@corecomputetools </P> <P>Have you tried <CODE>limit</CODE>?</P> <P><CODE>| chart count by sourcetype | sort limit=10 -count</CODE></P> Tue, 11 Jun 2019 05:44:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-top-10-data-source-from-Splunk/m-p/418036#M170803 kamlesh_vaghela 2019-06-11T05:44:45Z https://community.splunk.com/t5/Splunk-Search/How-to-get-top-10-data-source-from-Splunk/m-p/418037#M170804 <P>no, this limit=1denotes of ?</P> Tue, 11 Jun 2019 05:46:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-top-10-data-source-from-Splunk/m-p/418037#M170804 corecomputetool 2019-06-11T05:46:40Z https://community.splunk.com/t5/Splunk-Search/How-to-get-top-10-data-source-from-Splunk/m-p/418038#M170805 <P><CODE>limit=10</CODE> display top 10 values.</P> <PRE><CODE>index=_internal | chart count by sourcetype | sort limit=10 -count </CODE></PRE> Tue, 11 Jun 2019 05:54:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-top-10-data-source-from-Splunk/m-p/418038#M170805 kamlesh_vaghela 2019-06-11T05:54:04Z https://community.splunk.com/t5/Splunk-Search/How-to-get-top-10-data-source-from-Splunk/m-p/418039#M170806 <P>@corecomputetools,</P> <P>Please try below query .. </P> <PRE><CODE> index=* | chart count by sourcetype | sort limit=10 -count index=* | chart count by sourcetype | sort -count | head 10 </CODE></PRE> <P>Thanks.. </P> Tue, 11 Jun 2019 06:14:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-top-10-data-source-from-Splunk/m-p/418039#M170806 Shan 2019-06-11T06:14:14Z https://community.splunk.com/t5/Splunk-Search/How-to-get-top-10-data-source-from-Splunk/m-p/418040#M170807 <P>Hi Kamlesh,</P> <P>Thank you for the immediate response.</P> <P>It worked with the above command. :):)</P> Tue, 11 Jun 2019 06:16:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-top-10-data-source-from-Splunk/m-p/418040#M170807 corecomputetool 2019-06-11T06:16:43Z https://community.splunk.com/t5/Splunk-Search/How-to-get-top-10-data-source-from-Splunk/m-p/418041#M170808 <P>Thank you !! </P> Tue, 11 Jun 2019 06:20:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-top-10-data-source-from-Splunk/m-p/418041#M170808 corecomputetool 2019-06-11T06:20:54Z https://community.splunk.com/t5/Splunk-Search/How-to-get-top-10-data-source-from-Splunk/m-p/418042#M170809 <P>Hi @corecomputetools,</P> <P>Use the following for getting the list of top indexes : </P> <PRE><CODE>|tstats count where index=* by index | sort limit=10 -count </CODE></PRE> <P>For index and sourcetype:</P> <PRE><CODE>|tstats count where index=* by index,sourcetype | sort limit=10 count </CODE></PRE> <P>PS: Avoid using <CODE>index=*</CODE> as it will run very slow and consume resources for nothing.</P> <P>Cheers,<BR /> David</P> Tue, 11 Jun 2019 06:21:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-top-10-data-source-from-Splunk/m-p/418042#M170809 DavidHourani 2019-06-11T06:21:37Z https://community.splunk.com/t5/Splunk-Search/How-to-get-top-10-data-source-from-Splunk/m-p/418043#M170810 <P>Thanks for the update.</P> Tue, 11 Jun 2019 06:26:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-top-10-data-source-from-Splunk/m-p/418043#M170810 corecomputetool 2019-06-11T06:26:14Z https://community.splunk.com/t5/Splunk-Search/How-to-get-top-10-data-source-from-Splunk/m-p/418044#M170811 <P>@corecomputetools</P> <P>Glad to help you. Please upvote any comments which help you.</P> <P><STRONG>Happy Splunking</STRONG></P> Tue, 11 Jun 2019 06:27:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-top-10-data-source-from-Splunk/m-p/418044#M170811 kamlesh_vaghela 2019-06-11T06:27:18Z https://community.splunk.com/t5/Splunk-Search/How-to-get-top-10-data-source-from-Splunk/m-p/418045#M170812 <P>Most welcome, use the <CODE>tstats</CODE> when trying to access metadata and display a count by index, host or even sourcetype. Let me know if you're getting faster results with this search <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 11 Jun 2019 06:34:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-top-10-data-source-from-Splunk/m-p/418045#M170812 DavidHourani 2019-06-11T06:34:30Z