Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Display the "others" or the rest after showing top results

christopheryu
Communicator
‎05-03-2017 11:49 AM

I have this search to show top 5 values:

search... | fields ALARM | stats count by ALARM | sort limit=5 -count

Result for above is shown in a dashboard as a pie chart. How do I search for the rest of ALARM to show in a separate pie chart? Values for ALARM vary depending on time range.

Sorry if duplicate, did not find a similar question.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-03-2017 12:16 PM

Try like this

search... | fields ALARM | top limit=5 useother=t showperc=f ALARM

Updated

Try this. This will exclude top 5 and give the rest (streamstats will assign rank/serial no to sorted list and then we filter top 5)

search...| fields ALARM | stats count by ALARM | sort 0 -count | streamstats count as rank | where rank>5 | fields - rank

View solution in original post

Reply
Solved! Jump to solution

DalJeanis
Legend
‎05-03-2017 01:01 PM

search...
| fields ALARM
| stats count by ALARM
| search NOT [search... | fields ALARM | stats count by ALARM | sort limit=5 -count | table ALARM]

0 Karma
Reply
Solved! Jump to solution

christopheryu
Communicator
‎05-03-2017 01:28 PM

this works if my time range is set to past 3 days where there are less than 1M events, however, when I tried past 30 days with 10M events, it pulled up all ALARM values

0 Karma
Reply
Solved! Jump to solution

christopheryu
Communicator
‎05-03-2017 01:56 PM

sorry, this actually works, forgot to add the table ALARM at the end. however, this takes twice the time as compared to somesoni2's - thank you!

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎05-03-2017 02:41 PM

That makes sense - it's doing twice the work!

Wouldn't have posted it at all if somesoni2's second answer had been posted yet.

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-03-2017 12:16 PM

Try like this

search... | fields ALARM | top limit=5 useother=t showperc=f ALARM

Updated

Try this. This will exclude top 5 and give the rest (streamstats will assign rank/serial no to sorted list and then we filter top 5)

search...| fields ALARM | stats count by ALARM | sort 0 -count | streamstats count as rank | where rank>5 | fields - rank
Reply
Solved! Jump to solution

christopheryu
Communicator
‎05-03-2017 01:15 PM

this pulled up the top 5 and "other" values for ALARM

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-03-2017 01:39 PM

I didn't fully read I guess. Try the updated answer.

0 Karma
Reply
Solved! Jump to solution

christopheryu
Communicator
‎05-03-2017 01:58 PM

thank you, this works.

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...