I need to find the top five sources. As Splunk displays as a default the top ten commonly used or found values. I need to narrow it down to find the top 5 source files. I have tried using the following search criteria but nothing displays:
index=summary_volume report=volume_source | eval _time=info_max_time | timechart span=1m latest(VOL_MB) by series | top limit=5 source
it doesn't display any results.
How do you define "top 5"? Is it the five sources with the greatest total volume over the whole time period? If so, this should do it:
index=summary_volume report=volume_source | eval _time=info_max_time
| timechart span=1m limit=5 latest(VOL_MB) by series
Although I do wonder about what is in your "summary_volume" index. If you inserted data into the summary index using an sitimechart
command, then there should be a field called search_name
, not report
. And you should also not need to do an eval
to create the _time field.