topic Re: How do I show other fields after top? in Splunk Search

How do I show other fields after top?

ZacEsa — Wed, 20 Jul 2016 10:28:45 GMT

I'm not able to show other fields after top, below is my search string.

index=* type=event subtype=system logid=0100041000 | rex field=_raw "virdb\((?<virdbver>.*?)\) etdb\((?<etdbver>.*?)\)" | top 1 virdbver by devname | fields - percent count | sort -date -time | rename date as "Date:", time as "Time:", devname as "Device Name:", virdbver as "AV Definitions:"

The other fields I'm trying to show are, the date and time field. When I searched regarding this, I kept getting results saying that it's not possible to show other fields after doing top.

Re: How do I show other fields after top?

gfreitas — Wed, 20 Jul 2016 11:41:34 GMT

After the top command you are creating a table with 4 fields: virdbver, devname, count and percent. If you want the field date and time, you must use them on the top command e.g:

index=* type=event subtype=system logid=0100041000 | rex field=_raw "virdb\((?.*?)\) etdb\((?.*?)\)" | top 1 virdbver by devname, date, time

Re: How do I show other fields after top?

inventsekar — Wed, 20 Jul 2016 11:50:09 GMT

by this fields - percent count, you are restricting the results only to two fields - "percent count".
please try - fields - percent count date time

 index=* type=event subtype=system logid=0100041000 | rex field=_raw "virdb\((?.*?)\) etdb\((?.*?)\)" | top 1 virdbver by devname | fields - percent count date time | sort -date -time | rename date as "Date:", time as "Time:", devname as "Device Name:", virdbver as "AV Definitions:"

Re: How do I show other fields after top?

ZacEsa — Wed, 20 Jul 2016 12:08:00 GMT

Wow. Thanks! I didn't put the comma and it didn't work. That was why I asked the question. But I do have another problem. How do I move the columns?

EDIT: Sorry, it doesn't work. Once I put in the date and time, all the values come back. I only want the one with the highest virdbver value of each devname.

Re: How do I show other fields after top?

inventsekar — Wed, 20 Jul 2016 12:27:06 GMT

But I do have another problem. How do I move the columns?
on the "rename" command, you can change/move the "order" to move the columns.
rename virdbver as "AV Definitions:", devname as "Device Name:", date as "Date:", time as "Time:"

Re: How do I show other fields after top?

ZacEsa — Wed, 20 Jul 2016 12:42:27 GMT

That doesn't work. As you can see from above, I've already set it to rename date as "Date:", time as "Time:", devname as "Device Name:", virdbver as "AV Definitions:" but yet, it's coming out as Device Name, Date, Time, AV Definitions.

Re: How do I show other fields after top?

woodcock — Wed, 20 Jul 2016 12:49:26 GMT

You cannot show fields after top. This command does a statistical summary of the raw events and this process (obviously) consumes (supplants) those raw events. Think about it: If you asked "What were the top 10 most dangerous cities last year?" What "date" would you use? If your answer is 2015 then you can do this by adding | addinfo to the end of your search. This will add info_min_time and info_max_time to your search and you can do what you please with that. If you had any other answer, you are not only out of luck, but a rather strange person.

Re: How do I show other fields after top?

ZacEsa — Wed, 20 Jul 2016 12:51:08 GMT

Don't know why my previous reply to your comment got removed but, "fields - percent count" removes those fields.

Re: How do I show other fields after top?

ZacEsa — Wed, 20 Jul 2016 12:53:20 GMT

addinfo unfortunately adds information about that search though. the date and time fields are from the event itself.

Re: How do I show other fields after top?

woodcock — Wed, 20 Jul 2016 12:55:29 GMT

If you have fields C A B in that order, you can rearrange them like this | fields A B C and to rename then you just add this | rename A AS X B AS Y C AS Z.

Re: How do I show other fields after top?

woodcock — Wed, 20 Jul 2016 12:57:17 GMT

As I said, your desire is nonsensical. If you can explain a rational context for your desire (what kind of _time value makes any sense at all) then people can give you a solution that uses a stats instead of top.

Re: How do I show other fields after top?

ZacEsa — Wed, 20 Jul 2016 12:58:01 GMT

I understand your "What were the top 10 most dangerous cities last year?" thingy but look at it this way instead,
"What's the latest AV definition on this device and when did it update?" That's what I want to know.

Re: How do I show other fields after top?

ZacEsa — Wed, 20 Jul 2016 13:02:52 GMT

but putting fields after top will undo the top. For example if I don't have fields after top, it gets me the top value for virdbver by devname as such,

              firewall1                   definition1.11
              firewall2                   definition1.11
              firewall3                   definition1.09

but after I put in fields, it becomes like this,

              firewall1                   definition1.11
              firewall1                   definition1.10
              firewall1                   definition1.09
              firewall2                   definition1.11
              firewall3                   definition1.09

Re: How do I show other fields after top?

ZacEsa — Wed, 20 Jul 2016 13:06:01 GMT

I'm sorry but, I don't get you. Why is my desire nonsensical? I'm trying to Splunk to only show the highest definition value of devname and show the date and time of when it updated to said value of definition. Why is this desire nonsensical?

Re: How do I show other fields after top?

woodcock — Wed, 20 Jul 2016 13:10:40 GMT

You are misunderstanding what top does and assuming that it is like head. Even though there is a head command, it cannot be vectored like you are desiring. What you need is the dedup command. Try this:

index=* type=event subtype=system logid=0100041000 | rex field=_raw "virdb\((?<virdbver>.*?)\) etdb\((?<etdbver>.*?)\)"
| dedup devname
| table date time devname virdbver
| rename date AS "Date:" time AS "Time:", devname AS "Device Name:" virdbver AS "AV Definitions:"

Alternatively, you may be seeking this (if there can ever be downgrades to the virdbver):

index=* type=event subtype=system logid=0100041000 | rex field=_raw "virdb\((?<virdbver>.*?)\) etdb\((?<etdbver>.*?)\)"
| sort 0 - virdbver
| dedup devname
| table date time devname virdbver
| rename date AS "Date:" time AS "Time:", devname AS "Device Name:" virdbver AS "AV Definitions:"

Note: perhaps you will need to use sort 0 virdbver instead of sort 0 - virdbver; try both.

Re: How do I show other fields after top?

ZacEsa — Wed, 20 Jul 2016 13:31:49 GMT

Yes! Thank you so much! The second one worked like a charm! First one doesn't work because like I said in my other comment, some events don't have virdbver fields. The sorting of virdbver removes those events without virdbver field. Genius!

Re: How do I show other fields after top?

woodcock — Wed, 20 Jul 2016 13:41:43 GMT

Now do you see why I said your request was "nonsensical"? The only context that you gave us was your search in which you were (MIS)using the top command. Here are your mistakes:

1: You did not take the time to clearly explain what you were trying to do.
2: You made assumptions about how the top command works without reading the documentation.
3: Despite many comments and answers, you did not clearly restate your desires.
4: You downvoted people who were 100% correct (about your question being nonsensical).

As a result, many people wasted much time trying to help you and the worst part is that some were actually penalized for it. This is not the way to get help in the future. The bottom line is:

The BETTER QUALITY question that you ask, then quicker and better quality answers you will get. It is mostly up to you. We don't know what you mean; we have no choice but to go by what you say.

Re: How do I show other fields after top?

woodcock — Wed, 20 Jul 2016 13:43:52 GMT

I already explained why it is nonsensical. Go back and re-read it. Maybe you need to read the documentation for the top command:

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/top

Re: How do I show other fields after top?

woodcock — Wed, 20 Jul 2016 13:44:09 GMT

Now I see your problem; see new answer.