topic How to Get required top users where I am sorting timechart by user in Splunk Search

How to Get required top users where I am sorting timechart by user

tkadale — Tue, 26 Apr 2011 08:53:50 GMT

I am showing a timechart by users. I want to show top 10 users on the graph having some particular condition. How to achieve that??

Re: How to Get required top users where I am sorting timechart by user

Christian — Tue, 26 Apr 2011 14:31:22 GMT

Hi,

i think head will resolve your question : http://www.splunk.com/base/Documentation/latest/SearchReference/Head

mysearchquery | head 10

christian

Re: How to Get required top users where I am sorting timechart by user

sideview — Tue, 26 Apr 2011 16:35:47 GMT

Well what's your particular condition?

The idea is to use the search language before the timechart clause, to filter the set of users down to whatever it is you want, and then pipe those filtered results to timechart count by user. You might use searchterms using the =, < or > operators, you might have a parenthetic clause like (foo OR bar OR baz), or some NOT terms like NOT status=304, you can pipe to the eval or rex commands to do fancier things, then you filter again with another search clause or a where clause, etc. The sky's the limit.

Re: How to Get required top users where I am sorting timechart by user

howyagoin — Tue, 26 Apr 2011 21:17:34 GMT

Just to chime in with the others, I do something akin to what you do with the following:

<various search commands> | stats count by Username | sort limit=10 -count

I have a field which is recognised as Username and have found this gets me the result I want best. Not quite a timechart, but, easy enough to modify to get that.

Re: How to Get required top users where I am sorting timechart by user

Christian — Wed, 27 Apr 2011 08:13:39 GMT

just to make this all complete watch also for the top command (http://www.splunk.com/base/Documentation/latest/SearchReference/top)