https://community.splunk.com/t5/Splunk-Search/How-to-calculate-Top-limit-10-OR-head-10-not-working-by-Count/m-p/606200#M210815 <P>Hi Team</P> <P>&nbsp;</P> <P>I have a query where I am doing the TimeChart &amp; % (not using the timechart and calculate the % in timechart line as this doesn't solve my purpose hence using it this say)<BR /><BR />The query is working fine however it shows all the data on field and I want to have that field only show top 10&nbsp; by volume or count<BR /><BR />Query&nbsp;</P> <LI-CODE lang="markup">index=xyz (catcode="*") (prodid="1") (prodcat="*") success="*" | bucket _time span="1d" | eval TheError=if(success="false" AND Error_Value like "%%",count,0) | eval Success=if(success="true",count,0) | stats sum(TheError) as "Failed", sum(Success) as "Passed", sum(count) as Total by _time, catcode | eval Failed_Percent=round((Failed/Total)*100,2) | fields _time, catcode, Failed_Percent | xyseries _time, catcode, Failed_Percent</LI-CODE> <P><BR /><BR /><BR />I don't want to do the 'eventstats' because it will count all on prodid level and not at catcode level hence this query<BR />This query counts all false with error on catcode....and count all attempts on individual catcode, then calculate the %<BR />with event stats the total count will be not at catcode but all prodid count i.e. all catcode's total attempt's count</P> <P>&nbsp;</P> <P>Thanks in advance</P> <P>&nbsp;</P> Tue, 19 Jul 2022 16:04:02 GMT beriwalnishant 2022-07-19T16:04:02Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-Top-limit-10-OR-head-10-not-working-by-Count/m-p/606200#M210815 <P>Hi Team</P> <P>&nbsp;</P> <P>I have a query where I am doing the TimeChart &amp; % (not using the timechart and calculate the % in timechart line as this doesn't solve my purpose hence using it this say)<BR /><BR />The query is working fine however it shows all the data on field and I want to have that field only show top 10&nbsp; by volume or count<BR /><BR />Query&nbsp;</P> <LI-CODE lang="markup">index=xyz (catcode="*") (prodid="1") (prodcat="*") success="*" | bucket _time span="1d" | eval TheError=if(success="false" AND Error_Value like "%%",count,0) | eval Success=if(success="true",count,0) | stats sum(TheError) as "Failed", sum(Success) as "Passed", sum(count) as Total by _time, catcode | eval Failed_Percent=round((Failed/Total)*100,2) | fields _time, catcode, Failed_Percent | xyseries _time, catcode, Failed_Percent</LI-CODE> <P><BR /><BR /><BR />I don't want to do the 'eventstats' because it will count all on prodid level and not at catcode level hence this query<BR />This query counts all false with error on catcode....and count all attempts on individual catcode, then calculate the %<BR />with event stats the total count will be not at catcode but all prodid count i.e. all catcode's total attempt's count</P> <P>&nbsp;</P> <P>Thanks in advance</P> <P>&nbsp;</P> Tue, 19 Jul 2022 16:04:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-Top-limit-10-OR-head-10-not-working-by-Count/m-p/606200#M210815 beriwalnishant 2022-07-19T16:04:02Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-Top-limit-10-OR-head-10-not-working-by-Count/m-p/606201#M210816 <P>To show only the 10 results with the highest values of Failed_Percent you can use the <FONT face="courier new,courier">sort</FONT> command.</P><LI-CODE lang="markup">... | xyseries _time, catcode, Failed_Percent | sort 10 - Failed_Percent</LI-CODE><P>&nbsp;</P> Tue, 19 Jul 2022 15:47:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-Top-limit-10-OR-head-10-not-working-by-Count/m-p/606201#M210816 richgalloway 2022-07-19T15:47:49Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-Top-limit-10-OR-head-10-not-working-by-Count/m-p/606202#M210817 <P>At this point in your search:</P><LI-CODE lang="markup">index=xyz (catcode="*") (prodid="1") (prodcat="*") success="*" | bucket _time span="1d" | eval TheError=if(success="false" AND Error_Value like "%%",count,0) | eval Success=if(success="true",count,0) | stats sum(TheError) as "Failed", sum(Success) as "Passed", sum(count) as Total by _time, catcode</LI-CODE><P>you have 5 fields, _time, catcode, Failed, Passed and Total.</P><P>Where does prodId come from?</P><P>If you use eventstats at this point, you can sum the Total to find count all the events by catcode.</P><LI-CODE lang="markup">index=xyz (catcode="*") (prodid="1") (prodcat="*") success="*" | bucket _time span="1d" | eval TheError=if(success="false" AND Error_Value like "%%",count,0) | eval Success=if(success="true",count,0) | stats sum(TheError) as "Failed", sum(Success) as "Passed", sum(count) as Total by _time, catcode | eventstats sum(Total) as Total_catcode by catcode</LI-CODE><P>Does that help you? If not, please explain with some examples of what you are currently have and what you would like to see</P> Tue, 19 Jul 2022 15:52:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-Top-limit-10-OR-head-10-not-working-by-Count/m-p/606202#M210817 ITWhisperer 2022-07-19T15:52:19Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-Top-limit-10-OR-head-10-not-working-by-Count/m-p/606260#M210850 <P>This only sorts the time and instead of 10 showing single column of catcode...the one is hihest</P> Wed, 20 Jul 2022 03:57:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-Top-limit-10-OR-head-10-not-working-by-Count/m-p/606260#M210850 beriwalnishant 2022-07-20T03:57:45Z