i have data in default index "main" and has sourcetype "app" and field like program_name.
i want to find most popular programmes over time. can anybody please help me with this ?
Hi @tariqazeem123 ,
There are 2 ways:
1. You can run your command and use sort command
index=main sourcetype=app | sort program_name by _time
2.You can use top command and you can limit it to no. of events you want
index=main sourcetype=app | top limit=0 program_name
View solution in original post
You would like to use the top command for this -
index=main sourcetype=app| top limit=0 program_name
Let me know if there is more to your query. Thanks