https://community.splunk.com/t5/Splunk-Search/How-to-get-top-20-with-2-conditions/m-p/625093#M217292 <P>sloved, thanks gcusello</P> Thu, 22 Dec 2022 14:18:37 GMT langtuphidao 2022-12-22T14:18:37Z https://community.splunk.com/t5/Splunk-Search/How-to-get-top-20-with-2-conditions/m-p/625072#M217289 <P>I have some log, and i want&nbsp;get top 20 with 2 conditions:&nbsp;</P> <P>I user:&nbsp;index="fortinet" |top srcip srcname</P> <P>but in chart don't show srcname.</P> <P>Please help me.</P> <P>&nbsp;</P> <LI-CODE lang="markup">Dec 22 18:55:00 192.168.100.99 date=2022-12-22 time=18:54:56 devname="Fortigate-AMM" devid="FG100ETK20013758" eventtime=1671710096306112037 tz="+0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.101.114 srcname="DESKTOP-KOTPUP7" srcport=50113 srcintf="LAN2-6" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstintf="wan1" dstintfrole="wan" srcuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" dstuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" srccountry="Reserved" dstcountry="United States" sessionid=23640983 proto=17 action="accept" policyid=12 policytype="policy" poluuid="0edafcf4-6f37-51eb-c7b5-87e7b9759041" policyname="ChoPhepTruycapInternetWAN1" service="DNS" trandisp="snat" transip=117.2.159.103 transport=50113 appid=16195 app="DNS" appcat="Network.Service" apprisk="elevated" applist="default" duration=180 sentbyte=76 rcvdbyte=141 sentpkt=1 rcvdpkt=1 shapingpolicyid=1 shapingpolicyname="TangTocDoTaiVPN" shapersentname="high-priority" shaperdropsentbyte=0 shaperrcvdname="high-priority" shaperdroprcvdbyte=0 srchwvendor="VMware" osname="Windows" srcswversion="10" mastersrcmac="00:0c:29:71:41:ee" srcmac="00:0c:29:71:41:ee" srcserver=0 Dec 22 18:54:59 192.168.100.99 date=2022-12-22 time=18:54:55 devname="Fortigate-AMM" devid="FG100ETK20013758" eventtime=1671710095776077392 tz="+0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.100.12 srcname="DESKTOP-NTNP36A" srcport=49177 srcintf="lan" srcintfrole="lan" dstip=172.64.138.25 dstport=443 dstintf="wan2" dstintfrole="wan" srcuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" dstuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" srccountry="Reserved" dstcountry="United States" sessionid=23641377 proto=6 action="close" policyid=14 policytype="policy" poluuid="c0e7dfee-5fe1-51eb-6ce5-8eaca375eca9" policyname="ChoPhepTruycapInternetWAN2" service="HTTPS" trandisp="snat" transip=14.167.188.236 transport=49177 duration=101 sentbyte=1295 rcvdbyte=2390 sentpkt=8 rcvdpkt=7 appcat="unscanned" wanin=2098 wanout=871 lanin=871 lanout=871 utmaction="allow" countweb=1 srchwvendor="Samsung" devtype="Phone" srcfamily="Nexus" osname="Android" srchwversion="5X" srcswversion="6.0.1" mastersrcmac="00:0c:29:a6:9b:18" srcmac="00:0c:29:a6:9b:18" srcserver=0 Dec 22 18:54:58 192.168.100.99 date=2022-12-22 time=18:54:54 devname="Fortigate-AMM" devid="FG100ETK20013758" eventtime=1671710094938835145 tz="+0700" logid="0000000020" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.101.110 srcname="DESKTOP-ANV" srcport=60294 srcintf="LAN2-6" srcintfrole="lan" dstip=20.198.119.143 dstport=443 dstintf="wan1" dstintfrole="wan" srcuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" dstuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" srccountry="Reserved" dstcountry="India" sessionid=22992698 proto=6 action="accept" policyid=12 policytype="policy" poluuid="0edafcf4-6f37-51eb-c7b5-87e7b9759041" policyname="ChoPhepTruycapInternetWAN1" service="HTTPS" trandisp="snat" transip=117.2.159.103 transport=60294 appcat="unknown" applist="default" duration=100324 sentbyte=309709 rcvdbyte=429373 sentpkt=3357 rcvdpkt=3357 shapingpolicyid=1 shapingpolicyname="TangTocDoTaiVPN" shapersentname="high-priority" shaperdropsentbyte=0 shaperrcvdname="high-priority" shaperdroprcvdbyte=0 sentdelta=370 rcvddelta=510 srchwvendor="VMware" osname="Windows" srcswversion="10" mastersrcmac="00:0c:29:1e:9b:90" srcmac="00:0c:29:1e:9b:90" srcserver=0 Dec 22 18:54:56 192.168.100.99 date=2022-12-22 time=18:54:52 devname="Fortigate-AMM" devid="FG100ETK20013758" eventtime=1671710092246081148 tz="+0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.100.12 srcname="DESKTOP-NTNP36A" srcport=49182 srcintf="lan" srcintfrole="lan" dstip=117.18.232.240 dstport=80 dstintf="wan2" dstintfrole="wan" srcuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" dstuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" srccountry="Reserved" dstcountry="United States" sessionid=23641463 proto=6 action="close" policyid=14 policytype="policy" poluuid="c0e7dfee-5fe1-51eb-6ce5-8eaca375eca9" policyname="ChoPhepTruycapInternetWAN2" service="HTTP" trandisp="snat" transip=14.167.188.236 transport=49182 duration=77 sentbyte=659 rcvdbyte=462 sentpkt=7 rcvdpkt=4 appcat="unscanned" wanin=290 wanout=287 lanin=287 lanout=287 utmaction="allow" countweb=1 srchwvendor="Samsung" devtype="Phone" srcfamily="Nexus" osname="Android" srchwversion="5X" srcswversion="6.0.1" mastersrcmac="00:0c:29:a6:9b:18" srcmac="00:0c:29:a6:9b:18" srcserver=0 Dec 22 18:54:49 192.168.100.99 date=2022-12-22 time=18:54:45 devname="Fortigate-AMM" devid="FG100ETK20013758" eventtime=1671710085749980099 tz="+0700" logid="0000000020" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.100.30 srcname="DESKTOP-K5QNCSB" srcport=49835 srcintf="lan" srcintfrole="lan" dstip=40.83.240.146 dstport=443 dstintf="wan2" dstintfrole="wan" srcuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" dstuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" srccountry="Reserved" dstcountry="United States" sessionid=23151816 proto=6 action="accept" policyid=14 policytype="policy" poluuid="c0e7dfee-5fe1-51eb-6ce5-8eaca375eca9" policyname="ChoPhepTruycapInternetWAN2" service="HTTPS" trandisp="snat" transip=14.167.188.236 transport=49835 duration=69719 sentbyte=19123 rcvdbyte=27448 sentpkt=189 rcvdpkt=189 appcat="unscanned" sentdelta=180 rcvddelta=251 srchwvendor="VMware" osname="Windows" srcswversion="10" mastersrcmac="00:0c:29:e8:c3:e9" srcmac="00:0c:29:e8:c3:e9" srcserver=0 Dec 22 18:54:44 192.168.100.99 date=2022-12-22 time=18:54:40 devname="Fortigate-AMM" devid="FG100ETK20013758" eventtime=1671710080306081096 tz="+0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.100.30 srcname="DESKTOP-K5QNCSB" srcport=61196 srcintf="lan" srcintfrole="lan" dstip=13.35.166.100 dstport=443 dstintf="wan2" dstintfrole="wan" srcuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" dstuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" srccountry="Reserved" dstcountry="Taiwan" sessionid=23641845 proto=6 action="close" policyid=14 policytype="policy" poluuid="c0e7dfee-5fe1-51eb-6ce5-8eaca375eca9" policyname="ChoPhepTruycapInternetWAN2" service="HTTPS" trandisp="snat" transip=14.167.188.236 transport=61196 duration=1 sentbyte=1244 rcvdbyte=6581 sentpkt=11 rcvdpkt=11 appcat="unscanned" wanin=6129 wanout=664 lanin=664 lanout=664 utmaction="allow" countweb=1 srchwvendor="VMware" osname="Windows" srcswversion="10" mastersrcmac="00:0c:29:e8:c3:e9" srcmac="00:0c:29:e8:c3:e9" srcserver=0 Dec 22 18:54:37 192.168.100.99 date=2022-12-22 time=18:54:33 devname="Fortigate-AMM" devid="FG100ETK20013758" eventtime=1671710072616128264 tz="+0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.100.19 srcname="DQ" srcport=59337 srcintf="lan" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstintf="wan2" dstintfrole="wan" srcuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" dstuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" srccountry="Reserved" dstcountry="United States" sessionid=23640850 proto=17 action="accept" policyid=14 policytype="policy" poluuid="c0e7dfee-5fe1-51eb-6ce5-8eaca375eca9" policyname="ChoPhepTruycapInternetWAN2" service="DNS" trandisp="snat" transip=14.167.188.236 transport=59337 duration=180 sentbyte=73 rcvdbyte=175 sentpkt=1 rcvdpkt=1 appcat="unscanned" srchwvendor="VMware" srcfamily="Virtual Machine" osname="Windows" srchwversion="Workstation pro" srcswversion="10" mastersrcmac="00:0c:29:5f:d9:52" srcmac="00:0c:29:5f:d9:52" srcserver=0</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 22 Dec 2022 16:28:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-top-20-with-2-conditions/m-p/625072#M217289 langtuphidao 2022-12-22T16:28:07Z https://community.splunk.com/t5/Splunk-Search/How-to-get-top-20-with-2-conditions/m-p/625076#M217290 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/252389">@langtuphidao</a>,</P><P>this happens because in the chart you can use one field as x-axis, if you want to display both fields in x-axis, you have to merge them using eval, something like this:</P><LI-CODE lang="markup">index="fortinet" | eval column=srcip." - ".srcname | top column</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Thu, 22 Dec 2022 12:14:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-top-20-with-2-conditions/m-p/625076#M217290 gcusello 2022-12-22T12:14:18Z https://community.splunk.com/t5/Splunk-Search/How-to-get-top-20-with-2-conditions/m-p/625093#M217292 <P>sloved, thanks gcusello</P> Thu, 22 Dec 2022 14:18:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-top-20-with-2-conditions/m-p/625093#M217292 langtuphidao 2022-12-22T14:18:37Z https://community.splunk.com/t5/Splunk-Search/How-to-get-top-20-with-2-conditions/m-p/625106#M217295 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/252389">@langtuphidao</a>,</P><P>good for you, see next time!</P><P>Please accept one answer for the other people of Community</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Thu, 22 Dec 2022 15:57:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-top-20-with-2-conditions/m-p/625106#M217295 gcusello 2022-12-22T15:57:01Z