topic Re: how to create a top 5 of results and a bin for the rest of them (sorted stack bars) in Splunk Search

how to create a top 5 of results and a bin for the rest of them (sorted stack bars)

wsw70 — Tue, 24 Sep 2013 12:52:53 GMT

Hi,

Now that I know, thanks to R.Turk, how to sort stacked bar charts I wanted to pick a top 5 of the results. This works fine by adding a | head 5 to the search.

Is there a way to gather all the other events (the ones which did not make it to the top 5) in a separate bar called "others" (or whatever)?

Thanks!

Re: how to create a top 5 of results and a bin for the rest of them (sorted stack bars)

kristian_kolb — Tue, 24 Sep 2013 13:58:49 GMT

Could this be of use? top has a useother parameter that can be used to bunch the remaining events together into OTHER, like so;

sourcetype=access_combined | top 5 clientip useother=t

Re: how to create a top 5 of results and a bin for the rest of them (sorted stack bars)

wsw70 — Tue, 24 Sep 2013 14:07:36 GMT

This does not work, unfortunately. Even a plain top 5 total returns empty results.

Re: how to create a top 5 of results and a bin for the rest of them (sorted stack bars)

kristian_kolb — Tue, 24 Sep 2013 20:01:50 GMT

eeh you need to do top 5 something. Is total a field that exists in some/most/all of your events?

You know that top is not the same as max? top will look at the frequency of values for the specified field, not whether a value is higher than another.

Re: how to create a top 5 of results and a bin for the rest of them (sorted stack bars)

wsw70 — Wed, 25 Sep 2013 05:47:54 GMT

Sorry, I was not clear enough when referring to the previous post on sorting bar charts. The search over there was

<base search> | chart count over N_vendor by N_subnetname | addtotals fieldname=total | sort -total | fields - total

so total is indeed defined.