topic Re: Why is the top command not separating out top values for each numerical data field? in Splunk Search

Why is the top command not separating out top values for each numerical data field?

lagoon7mac — Mon, 08 Oct 2012 11:58:18 GMT

I have numerical data into 5 different fields that occurs daily and indexed into splunk. I am trying to see what the top values per field and chart that before I perform other stats commands. So if i perform sourcetype=numdata NOT "TEXTDATA" | top limit=10 field1", I get the top values of the field. When I add "top field1, field2, field3" then I get all of the top values for the fields combined. I would like to get the top values per field? Does anyone know how to SPL this?

Re: Why is the top command not separating out top values for each numerical data field?

sdaniels — Mon, 08 Oct 2012 12:13:56 GMT

You might be able to use the append command depending on the type of data and if the values make sense to be charted together.

sourcetype=numdata NOT "TEXTDATA" | top 10 field1 | append [ sourcetype=numdata NOT "TEXTDATA" | top 10 field2 ]  etc.....

Re: Why is the top command not separating out top values for each numerical data field?

lagoon7mac — Sun, 17 Feb 2013 12:05:20 GMT

That works with the addition of the search command at the begining of the search bracket so [ sourcetype=numdata... ] becomes [ search sourcetype=numdata ....]