topic Re: Remove top from results in Splunk Search

Remove top from results

rhum_defintel — Mon, 05 Mar 2012 21:54:59 GMT

I want to remove the top results from my final results. Essentially, removing outliers.

Ayn — Mon, 05 Mar 2012 21:57:38 GMT

Give more details on what you want to achieve, preferrably with some sample events so we know more about how to solve the problem.

rhum_defintel — Mon, 05 Mar 2012 21:59:37 GMT

I have a timechart that has spikes of data. I would like to remove those spikes so I can calculate an average.

Ayn — Mon, 05 Mar 2012 22:07:56 GMT

There's also a number of statistical functions available that might be suitable for you to use: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonStatsFunctions

yannK — Mon, 05 Mar 2012 22:47:56 GMT

if you want to filter the highest values, you can use a where condition, or an eval to normalize it.

example :

sourcetype=mysourcetype | where myfield < 100 | timechart max(myfield) by host

sourcetype=mysourcetype | eval myfield=if(myfield<100,myfield,0) | timechart max(myfield) by host

rhum_defintel — Thu, 08 Mar 2012 19:33:26 GMT

I want to remove the results that are listed in top.

landen99 — Fri, 08 Aug 2014 18:09:16 GMT

search | sort -field1 | head 20

landen99 — Fri, 08 Aug 2014 18:10:19 GMT

grabs bottom 20 results

devin_stonecyph — Tue, 23 Sep 2014 22:10:56 GMT

altink — Tue, 22 Aug 2017 21:33:38 GMT

Hello

is there any development on this ?

remove top x rows from result

best regards
Altin