https://community.splunk.com/t5/Splunk-Search/Find-top-20-client-IPs-that-generate-the-most-errors-and-display/m-p/170431#M48761 <P>You're very close! The thing you're missing is that the <A href="http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/sort">sort</A> command can take a number to give the top N. </P> <P>So all you have to do is change your line: </P> <PRE><CODE>| sort - "Total Errors" </CODE></PRE> <P>to:</P> <PRE><CODE>| sort 20 - "Total Errors" </CODE></PRE> Tue, 23 Jun 2015 18:04:46 GMT acharlieh 2015-06-23T18:04:46Z https://community.splunk.com/t5/Splunk-Search/Find-top-20-client-IPs-that-generate-the-most-errors-and-display/m-p/170429#M48759 <P>I have only been using Splunk for a few days and couldn't find an answer to this question.<BR /> I want to find the client IPs that are generating the most errors and display the count of each specific error as well. However, I want my search to be limited to 20 client IPs (the 20 that generate the most errors).<BR /> I'm able to get a list of all client IPs right now</P> <PRE><CODE>index=blah tag=blah AND (status=302 OR status=304 OR status=403 OR status=404 OR status=500) | stats count(status) as "Total Errors" count(eval(status=302)) as "302 Count" count(eval(status=304)) as "304 Count" count(eval(status=403)) as "403 Count" count(eval(status=404)) as "404 Count" count(eval(status=500)) as "500 Count" by clientip | sort -"Total Errors" </CODE></PRE> <P>This creates a table like so:</P> <PRE><CODE>clientip | Total Errors | 302 Count | 304 Count | 403 Count | 404 Count | 500 Count 142.182.28 | 20 | 13 | 5 | 1 | 1 | 0 </CODE></PRE> <P>I'm not showing all the results obviously, but the table lists data for every clientip and every time I try to limit the results, the search is messed up. I would appreciate any help with what I am doing wrong.</P> Tue, 23 Jun 2015 17:46:32 GMT https://community.splunk.com/t5/Splunk-Search/Find-top-20-client-IPs-that-generate-the-most-errors-and-display/m-p/170429#M48759 Kaitrono 2015-06-23T17:46:32Z https://community.splunk.com/t5/Splunk-Search/Find-top-20-client-IPs-that-generate-the-most-errors-and-display/m-p/170430#M48760 <P>How about <CODE>... | sort - "Total Errors" | top limit=20 "Total Errors"</CODE> ?</P> Tue, 23 Jun 2015 18:04:15 GMT https://community.splunk.com/t5/Splunk-Search/Find-top-20-client-IPs-that-generate-the-most-errors-and-display/m-p/170430#M48760 richgalloway 2015-06-23T18:04:15Z https://community.splunk.com/t5/Splunk-Search/Find-top-20-client-IPs-that-generate-the-most-errors-and-display/m-p/170431#M48761 <P>You're very close! The thing you're missing is that the <A href="http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/sort">sort</A> command can take a number to give the top N. </P> <P>So all you have to do is change your line: </P> <PRE><CODE>| sort - "Total Errors" </CODE></PRE> <P>to:</P> <PRE><CODE>| sort 20 - "Total Errors" </CODE></PRE> Tue, 23 Jun 2015 18:04:46 GMT https://community.splunk.com/t5/Splunk-Search/Find-top-20-client-IPs-that-generate-the-most-errors-and-display/m-p/170431#M48761 acharlieh 2015-06-23T18:04:46Z https://community.splunk.com/t5/Splunk-Search/Find-top-20-client-IPs-that-generate-the-most-errors-and-display/m-p/170432#M48762 <P>Except that using <A href="http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/top">top</A> would eliminate the all of the other fields, "clientip", and the "### Count"</P> Tue, 23 Jun 2015 18:07:53 GMT https://community.splunk.com/t5/Splunk-Search/Find-top-20-client-IPs-that-generate-the-most-errors-and-display/m-p/170432#M48762 acharlieh 2015-06-23T18:07:53Z https://community.splunk.com/t5/Splunk-Search/Find-top-20-client-IPs-that-generate-the-most-errors-and-display/m-p/170433#M48763 <P>Thank you! I was not aware sort could take that parameter and this worked.</P> Tue, 23 Jun 2015 18:20:21 GMT https://community.splunk.com/t5/Splunk-Search/Find-top-20-client-IPs-that-generate-the-most-errors-and-display/m-p/170433#M48763 Kaitrono 2015-06-23T18:20:21Z