List top 10 values for each fields of an index

fabienpe — Thu, 31 Aug 2023 14:45:38 GMT

Hello,

I'm new to Splunk and despite searching extensively on this community site, I was not able to find a solution for what I thought was a rather simple problem. I would like to list, for each field in my index, the list of top 10 values.

I've tried different commande with stats values and top, and the following one gives me what's closest, but the output is messy:

index = my_index | multireport [top limit=10 field_1] [top limit=10 field_2] [top limit=10 field_3]

I do get the top values of each field presented in different columns of the output, but also get many empty cells:

field_1	field_2	field_3
	a top value of field_2
	a top value of field_2
	a top value of field_2
		a top value of field_3
		a top value of field_3
a top value of field_1
a top value of field_1

while i would like something like that:

field_1	field_2	field_3
a top value of field_1	a top value of field_2	a top value of field_3
a top value of field_1	a top value of field_2	a top value of field_3
	a top value of field_2

Has someone any idea how I could cleanup the output, and, ideally, easily loop through the column names so I don't have to write their name manually.

Thank!

Re: List top 10 values for each fields of an index

ITWhisperer — Thu, 31 Aug 2023 14:53:12 GMT

Re: List top 10 values for each fields of an index

fabienpe — Thu, 31 Aug 2023 14:59:53 GMT

Thanks!!

topic List top 10 values for each fields of an index in Splunk Search

List top 10 values for each fields of an index

Re: List top 10 values for each fields of an index

Re: List top 10 values for each fields of an index