https://community.splunk.com/t5/Splunk-Search/How-to-limit-number-of-column-in-xyseries-with-TOP-or-RARE/m-p/610171#M212181 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/165039">@chaker</a>&nbsp;Unfortunately, your suggestion that still provide another way to express a table but only take the top 5 in alphabetic not in term of less or most use</P> Fri, 19 Aug 2022 19:01:04 GMT ephenix 2022-08-19T19:01:04Z https://community.splunk.com/t5/Splunk-Search/How-to-limit-number-of-column-in-xyseries-with-TOP-or-RARE/m-p/610075#M212144 <P>Hi,</P><P><SPAN>I'm building a report to count the numbers of events per AWS accounts vs Regions with stats and xyseries. It works well but I would like to filter to have only the 5 rare regions (fewer events). When I'm adding the rare, it just doesn’t work.&nbsp;&nbsp;<BR /></SPAN><BR />index=aws sourcetype="aws:cloudtrail"<BR />| rare limit=5 awsRegion&nbsp;<BR />| stats count by awsRegion, account<BR />| xyseries account awsRegion count</P><P>Any ideas?</P><P>Thanks</P> Fri, 19 Aug 2022 05:52:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-limit-number-of-column-in-xyseries-with-TOP-or-RARE/m-p/610075#M212144 ephenix 2022-08-19T05:52:37Z https://community.splunk.com/t5/Splunk-Search/How-to-limit-number-of-column-in-xyseries-with-TOP-or-RARE/m-p/610077#M212145 <P><SPAN>Something like this should work, I don't have any cloudtrail data on hand at the moment.</SPAN></P><P><SPAN><BR />index=aws sourcetype="aws:cloudtrail"</SPAN><BR />| chart count by <SPAN>account</SPAN> <SPAN>awsRegion&nbsp;&nbsp;</SPAN>limit=0<BR />| addtotals<BR />| sort limit=5 Total</P> Fri, 19 Aug 2022 06:03:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-limit-number-of-column-in-xyseries-with-TOP-or-RARE/m-p/610077#M212145 chaker 2022-08-19T06:03:28Z https://community.splunk.com/t5/Splunk-Search/How-to-limit-number-of-column-in-xyseries-with-TOP-or-RARE/m-p/610083#M212146 <P>The reason it doesn't work is that rare will only leave the regions without the corresponding accounts</P><P>Assuming you want the counts for all the accounts in the 5 lowest total regions, you could do something like this:</P><LI-CODE lang="markup">index=aws sourcetype="aws:cloudtrail" | stats count by awsRegion account | eventstats sum(count) as total by awsRegion | sort 0 total awsRegion | streamstats dc(awsRegion) as rank | where rank &lt; 6 | xyseries account awsRegion count</LI-CODE> Fri, 19 Aug 2022 07:07:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-limit-number-of-column-in-xyseries-with-TOP-or-RARE/m-p/610083#M212146 ITWhisperer 2022-08-19T07:07:53Z https://community.splunk.com/t5/Splunk-Search/How-to-limit-number-of-column-in-xyseries-with-TOP-or-RARE/m-p/610169#M212180 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;, Great look like it is working! Interesting new approach that I will explore more.&nbsp;<BR /><BR />I also add a total to sort it not sure it is the most efficient way but it did work.&nbsp;<BR /><BR />index=aws sourcetype="aws:cloudtrail"<BR />| stats count by awsRegion account<BR />| eventstats sum(count) as total by awsRegion<BR />| sort 0 total awsRegion<BR />| streamstats dc(awsRegion) as rank<BR />| where rank &lt; 5<BR />| xyseries account awsRegion count<BR />| addtotals fieldname=TotalEvents<BR />| eval TotalEvents=TotalEvents-account<BR />| sort TotalEvents</P> Fri, 19 Aug 2022 19:08:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-limit-number-of-column-in-xyseries-with-TOP-or-RARE/m-p/610169#M212180 ephenix 2022-08-19T19:08:34Z https://community.splunk.com/t5/Splunk-Search/How-to-limit-number-of-column-in-xyseries-with-TOP-or-RARE/m-p/610171#M212181 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/165039">@chaker</a>&nbsp;Unfortunately, your suggestion that still provide another way to express a table but only take the top 5 in alphabetic not in term of less or most use</P> Fri, 19 Aug 2022 19:01:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-limit-number-of-column-in-xyseries-with-TOP-or-RARE/m-p/610171#M212181 ephenix 2022-08-19T19:01:04Z