https://community.splunk.com/t5/Splunk-Search/How-to-find-top-10-hosts-after-a-sort/m-p/37610#M8425 <P>try this<BR /> index=_internal source=*license_usage.log type="Usage" | stats sum(b) AS volume by h | eval GB=round(volume/1024/1024/1024,5) | table h GB | sort 10 - GB | rename h AS Host</P> Tue, 29 Sep 2020 08:29:46 GMT rameshyedurla 2020-09-29T08:29:46Z https://community.splunk.com/t5/Splunk-Search/How-to-find-top-10-hosts-after-a-sort/m-p/37607#M8422 <P>The following search will give the count of events by host and sort the hosts by count, highest to lowest. </P> <P>index=summary source="SI Count By Host Every 10m" | stats count by orig_host | sort count</P> <P>Now I just want to show the top 10 hosts based on their high count. Using the head command will show the first 10 hosts that are found and not the top 10 based on the count that i am trying to display. This seems easy enough but i cannot figure it out...</P> <P>Feeling very noob right now, help is always appreciated.</P> <P>Thanks, Iman</P> Thu, 03 Feb 2011 02:22:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-top-10-hosts-after-a-sort/m-p/37607#M8422 I-Man 2011-02-03T02:22:24Z https://community.splunk.com/t5/Splunk-Search/How-to-find-top-10-hosts-after-a-sort/m-p/37608#M8423 <P>I think that's what you're looking for can be achieved by. </P> <PRE><CODE>index=summary source="SI Count By Host Every 10m" | top limit=10 orig_host </CODE></PRE> <P>However, if you would like to use your search you could also achieve the same by: </P> <PRE><CODE>index=summary source="SI Count By Host Every 10m" | stats count by orig_host | sort limit=10 -count </CODE></PRE> <P>.gz</P> Thu, 03 Feb 2011 02:41:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-top-10-hosts-after-a-sort/m-p/37608#M8423 Genti 2011-02-03T02:41:14Z https://community.splunk.com/t5/Splunk-Search/How-to-find-top-10-hosts-after-a-sort/m-p/37609#M8424 <P>index=summary source="SI Count By Host Every 10m" | stats count by orig_host | sort -count | head 10</P> <P>The above search finally worked for me. There was some kind of bug going on that when I clicked on the top of a column to sort via ascending/descending order, the sort -count OR sort +count would make no difference as the column properties take seemed to take precedence. Not sure why but this only happened when the head function was not present. Weird. Thank you anyways for the quick response Genti.</P> Thu, 03 Feb 2011 02:59:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-top-10-hosts-after-a-sort/m-p/37609#M8424 I-Man 2011-02-03T02:59:26Z https://community.splunk.com/t5/Splunk-Search/How-to-find-top-10-hosts-after-a-sort/m-p/37610#M8425 <P>try this<BR /> index=_internal source=*license_usage.log type="Usage" | stats sum(b) AS volume by h | eval GB=round(volume/1024/1024/1024,5) | table h GB | sort 10 - GB | rename h AS Host</P> Tue, 29 Sep 2020 08:29:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-top-10-hosts-after-a-sort/m-p/37610#M8425 rameshyedurla 2020-09-29T08:29:46Z https://community.splunk.com/t5/Splunk-Search/How-to-find-top-10-hosts-after-a-sort/m-p/37611#M8426 <P>index=summary source="SI Count By Host Every 10m" | stats count by orig_host | sort 10 - count</P> Tue, 16 May 2017 03:33:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-top-10-hosts-after-a-sort/m-p/37611#M8426 renjujacob88 2017-05-16T03:33:26Z