Archive

how to find most popular field over time ?

tariqazeem123
New Member

i have data in default index "main" and has sourcetype "app" and field like program_name.

i want to find most popular programmes over time. can anybody please help me with this ?

0 Karma
1 Solution

snigdhasaxena
Communicator

Hi @tariqazeem123 ,

There are 2 ways:
1. You can run your command and use sort command
index=main sourcetype=app | sort program_name by _time

2.You can use top command and you can limit it to no. of events you want

index=main sourcetype=app | top limit=0 program_name

View solution in original post

0 Karma

snigdhasaxena
Communicator

Hi @tariqazeem123 ,

There are 2 ways:
1. You can run your command and use sort command
index=main sourcetype=app | sort program_name by _time

2.You can use top command and you can limit it to no. of events you want

index=main sourcetype=app | top limit=0 program_name

View solution in original post

0 Karma

amitm05
Builder

Hi @tariqazeem123
You would like to use the top command for this -

index=main sourcetype=app| top limit=0 program_name 

Let me know if there is more to your query. Thanks

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!