I have only been using Splunk for a few days and couldn't find an answer to this question.
I want to find the client IPs that are generating the most errors and display the count of each specific error as well. However, I want my search to be limited to 20 client IPs (the 20 that generate the most errors).
I'm able to get a list of all client IPs right now
index=blah tag=blah AND (status=302 OR status=304 OR status=403 OR status=404 OR status=500) | stats count(status) as "Total Errors" count(eval(status=302)) as "302 Count" count(eval(status=304)) as "304 Count" count(eval(status=403)) as "403 Count" count(eval(status=404)) as "404 Count" count(eval(status=500)) as "500 Count" by clientip | sort -"Total Errors"
This creates a table like so:
clientip | Total Errors | 302 Count | 304 Count | 403 Count | 404 Count | 500 Count 142.182.28 | 20 | 13 | 5 | 1 | 1 | 0
I'm not showing all the results obviously, but the table lists data for every clientip and every time I try to limit the results, the search is messed up. I would appreciate any help with what I am doing wrong.
... | sort - "Total Errors" | top limit=20 "Total Errors" ?
You're very close! The thing you're missing is that the sort command can take a number to give the top N.
So all you have to do is change your line:
| sort - "Total Errors"
| sort 20 - "Total Errors"
Thank you! I was not aware sort could take that parameter and this worked.