topic Re: How to limit my search to return only the top 10 results based on the following search queries ? in Splunk Search

How to limit my search to return only the top 10 results based on the following search queries ?

ranjyotiprakash — Mon, 28 Sep 2020 11:56:24 GMT

I am using these search queries and I want to restrict the search to return only the top ten results.

How to do it ?

The search queries I am using are :

sourcetype="access" |eval bandwidth=round(bytes_sent/1024,2)| stats sum(bandwidth) BY client_ip

sourcetype="access" | eval bandwidth=round(bytes_sent/1024,2)|stats sum(bandwidth) BY URL

Thanks...

Re: How to limit my search to return only the top 10 results based on the following search queries ?

lpolo — Wed, 13 Jun 2012 11:53:41 GMT

Try this:

your_query | sort - sum(bandwidth) | head 10

you may want to name your field "bandwidth" as follow:

sourcetype="access" | stats sum(bytes_sent) as bandwidth BY client_ip | eval bandwidth=round(bandwidth/1024,2)  | sort - bandwidth | head 10

sourcetype="access" | stats sum(bytes_sent) as bandwidth BY URL | sort - bandwidth | eval bandwidth=round(bandwidth/1024,2) | head 10

Re: How to limit my search to return only the top 10 results based on the following search queries ?

Lamar — Wed, 13 Jun 2012 12:02:05 GMT

You may want to use top for this.

http://docs.splunk.com/Documentation/Splunk/4.3.2/SearchReference/Top

sourcetype="access" |eval bandwidth=round(bytes_sent/1024,2)| stats sum(bandwidth) as total_bandwidth | top limit=10 total_bandwidth by client_ip

sourcetype="access" | eval bandwidth=round(bytes_sent/1024,2)|stats sum(bandwidth) as total_bandwidth | top limit=10 total_bandwidth by URL

Hope that helps.

Re: How to limit my search to return only the top 10 results based on the following search queries ?

ziegfried — Wed, 13 Jun 2012 12:34:44 GMT

This is actually incorrect. The top command will deliver the most common values, not the greatest ones.

Re: How to limit my search to return only the top 10 results based on the following search queries ?

sdaniels — Wed, 13 Jun 2012 12:35:51 GMT

The head command will give you the first 10 results whereas the top command will give you the most common values of a particular field.

Re: How to limit my search to return only the top 10 results based on the following search queries ?

ziegfried — Wed, 13 Jun 2012 12:38:20 GMT

But that's probably the most reasonable result for the question.

Re: How to limit my search to return only the top 10 results based on the following search queries ?

sdaniels — Wed, 13 Jun 2012 12:39:17 GMT

If you just want the greatest values and not the top 10 just sort it in descending order.

Re: How to limit my search to return only the top 10 results based on the following search queries ?

ziegfried — Wed, 13 Jun 2012 12:40:44 GMT

The question kind-of indicates the 10 greatest values.

Re: How to limit my search to return only the top 10 results based on the following search queries ?

ziegfried — Wed, 13 Jun 2012 12:44:23 GMT

I've slightly changed the search to do the "round" after the aggregation. This is better because it reduces the rounding error.

Re: How to limit my search to return only the top 10 results based on the following search queries ?

ranjyotiprakash — Thu, 14 Jun 2012 05:07:52 GMT

Thanks a lot for your replies.. "head" works ...

Re: How to limit my search to return only the top 10 results based on the following search queries ?

SanthoshSreshta — Tue, 12 May 2015 05:29:20 GMT

Why they have used sort - bandwidth there ..can u please explain me

Re: How to limit my search to return only the top 10 results based on the following search queries ?

MuS — Tue, 12 May 2015 05:33:19 GMT

from the docs about sort http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/Sort :

Description: List of fields to sort by and their order, descending ( - ) or ascending ( + ).

Re: How to limit my search to return only the top 10 results based on the following search queries ?

SanthoshSreshta — Tue, 12 May 2015 06:17:01 GMT

yah.!!
Got it. Thank you. 🙂

Re: How to limit my search to return only the top 10 results based on the following search queries ?

Konrad_Schlude — Mon, 08 Jan 2024 14:54:12 GMT

The usage of sort is fine if the number of items is not too large. To sort a large number of items is time consuming, and there is a limit in Splunk. Because of the limit, the attempt to sort the items and then to select the first 10 items might end in a wrong result.

In order to avoid this, I filter all items above/below a limit that is specific to the problem. For instance, 50 000 records are processed, more than 49 000 records are processed within 2 seconds, but there are a few records for which the processing takes more time. So I set the limit to 2 seconds.
However, if there are just a few records, e.g., 10, then it might be the case that the list of Top 10 results is empty because all of them are below the limit of 2 seconds.