https://community.splunk.com/t5/Splunk-Search/How-to-limit-my-search-to-return-only-the-top-10-events/m-p/135430#M37035 <P>Thank you for reply,</P> <P>I tried to update the config file:<BR /> splubk/etc/apps/search/default/props.conf<BR /> [splunk_web_service]<BR /> EXTRACT-raw=^[.<EM>?](?<RAW>.8</RAW></EM>)</P> <P>And tried to search through the browser<BR /> source="/var/log/httpd/*-error_log" | top raw limit=10</P> <P>but no luck:<BR /> No results found.</P> <P>I want to find the top 10 raw repeated in any log file such as Apache error log.</P> <P>Can you help me?</P> <P>Thanks</P> Mon, 28 Sep 2020 17:40:22 GMT jalalallam 2020-09-28T17:40:22Z https://community.splunk.com/t5/Splunk-Search/How-to-limit-my-search-to-return-only-the-top-10-events/m-p/135428#M37033 <P>Hello,</P> <P>I would like to create a search that select the top 10 events </P> <P>Like this:</P> <H2>event count percent</H2> <P>[Mon Sep 22 17:14:36 2014] [error] [client XXX] File does not exist: /var/www/html/home-store 1000 30<BR /> [Mon Sep 22 15:53:37 2014] [error] [client XXX] Bean "Hits_Bean_List.__isset" does not support attrib 500 20</P> <P>Any suggestions? Any idea is welcome.</P> <P>Thanks</P> Mon, 28 Sep 2020 17:39:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-limit-my-search-to-return-only-the-top-10-events/m-p/135428#M37033 jalalallam 2020-09-28T17:39:29Z https://community.splunk.com/t5/Splunk-Search/How-to-limit-my-search-to-return-only-the-top-10-events/m-p/135429#M37034 <P>First, if timestamp does not matter, you may want to extract a fields, say called raw, that has only the event. I'm assuming the pattern above are for all your events. Example props.conf</P> <PRE><CODE>[Insert Name of your sourcetype] EXTRACT-raw=^\[.*?\](?P&lt;raw&gt;.*) </CODE></PRE> <P>Then, simply run the search:</P> <PRE><CODE>sourcetype="Insert name of your sourcetype"|top raw limit=10 </CODE></PRE> <P>I'm not sure if this answers your question I don't know if all your events follow the pattern above. Nevertheless, the top command can get you there.</P> Mon, 22 Sep 2014 17:36:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-limit-my-search-to-return-only-the-top-10-events/m-p/135429#M37034 ndoshi 2014-09-22T17:36:18Z https://community.splunk.com/t5/Splunk-Search/How-to-limit-my-search-to-return-only-the-top-10-events/m-p/135430#M37035 <P>Thank you for reply,</P> <P>I tried to update the config file:<BR /> splubk/etc/apps/search/default/props.conf<BR /> [splunk_web_service]<BR /> EXTRACT-raw=^[.<EM>?](?<RAW>.8</RAW></EM>)</P> <P>And tried to search through the browser<BR /> source="/var/log/httpd/*-error_log" | top raw limit=10</P> <P>but no luck:<BR /> No results found.</P> <P>I want to find the top 10 raw repeated in any log file such as Apache error log.</P> <P>Can you help me?</P> <P>Thanks</P> Mon, 28 Sep 2020 17:40:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-limit-my-search-to-return-only-the-top-10-events/m-p/135430#M37035 jalalallam 2020-09-28T17:40:22Z https://community.splunk.com/t5/Splunk-Search/How-to-limit-my-search-to-return-only-the-top-10-events/m-p/135431#M37036 <P>Sorry, I had two typos in there. Change that in props.conf to what is now listed in the answer.</P> <P>You can use <A href="http://regex101.com/" target="_blank">http://regex101.com/</A> to test a regex (remove the ?P in the test regex). BTW, you should put your props.conf in $SPLUNK_HOME/etc/apps/search/local/props.conf</P> <P>Your search would be: sourcetype=splunk_web_service|top raw limit=10</P> <P>This assumes that your source "/var/log/httpd/*-error_log" is indeed tied to this sourcetype.</P> Mon, 28 Sep 2020 17:40:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-limit-my-search-to-return-only-the-top-10-events/m-p/135431#M37036 ndoshi 2020-09-28T17:40:41Z