Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Display the "others" or the rest after showing top results

christopheryu
Communicator
‎05-03-2017 11:49 AM

I have this search to show top 5 values:

search... | fields ALARM | stats count by ALARM | sort limit=5 -count

Result for above is shown in a dashboard as a pie chart. How do I search for the rest of ALARM to show in a separate pie chart? Values for ALARM vary depending on time range.

Sorry if duplicate, did not find a similar question.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-03-2017 12:16 PM

Try like this

search... | fields ALARM | top limit=5 useother=t showperc=f ALARM

Updated

Try this. This will exclude top 5 and give the rest (streamstats will assign rank/serial no to sorted list and then we filter top 5)

search...| fields ALARM | stats count by ALARM | sort 0 -count | streamstats count as rank | where rank>5 | fields - rank

View solution in original post

Reply
Solved! Jump to solution

DalJeanis
Legend
‎05-03-2017 01:01 PM

search...
| fields ALARM
| stats count by ALARM
| search NOT [search... | fields ALARM | stats count by ALARM | sort limit=5 -count | table ALARM]

0 Karma
Reply
Solved! Jump to solution

christopheryu
Communicator
‎05-03-2017 01:28 PM

this works if my time range is set to past 3 days where there are less than 1M events, however, when I tried past 30 days with 10M events, it pulled up all ALARM values

0 Karma
Reply
Solved! Jump to solution

christopheryu
Communicator
‎05-03-2017 01:56 PM

sorry, this actually works, forgot to add the table ALARM at the end. however, this takes twice the time as compared to somesoni2's - thank you!

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎05-03-2017 02:41 PM

That makes sense - it's doing twice the work!

Wouldn't have posted it at all if somesoni2's second answer had been posted yet.

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-03-2017 12:16 PM

Try like this

search... | fields ALARM | top limit=5 useother=t showperc=f ALARM

Updated

Try this. This will exclude top 5 and give the rest (streamstats will assign rank/serial no to sorted list and then we filter top 5)

search...| fields ALARM | stats count by ALARM | sort 0 -count | streamstats count as rank | where rank>5 | fields - rank
Reply
Solved! Jump to solution

christopheryu
Communicator
‎05-03-2017 01:15 PM

this pulled up the top 5 and "other" values for ALARM

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-03-2017 01:39 PM

I didn't fully read I guess. Try the updated answer.

0 Karma
Reply
Solved! Jump to solution

christopheryu
Communicator
‎05-03-2017 01:58 PM

thank you, this works.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...