Solved: How to control the number of top results shown fro...

HattrickNZ · ‎03-08-2015

I am trying to control how many of the top results are shown.

I have the following search

stats max(c1693801001) as MaxCPU by measObjLdn | sort - MaxCPU

which gives me the following in the stats view:

measObjLdn  MaxCPU
Object1 13
Object2 11
Object3 8
Object4 7
Object5 4
Object6 4
Object7 3
Object8 3

How do i just show the top 3 that would look like

measObjLdn  MaxCPU
Object1 13
Object2 11
Object3 8

I have tried top but no joy, it just keeps showing them all
....| top limit=5 showcount=f showperc=f MaxCPU by measObjLdn | sort - MaxCPU

musskopf · ‎03-08-2015

Just change to:

stats max(c1693801001) as MaxCPU by measObjLdn | sort 3 - MaxCPU

View solution in original post

ramdaspr · ‎03-08-2015

That is because you have a by clause so it is showing you the top 5 MaxCPU for each measObjLdn. You should be using head 3 after sorting to find out the top 3 values regardless of the combination.

musskopf · ‎03-08-2015

Just change to:

stats max(c1693801001) as MaxCPU by measObjLdn | sort 3 - MaxCPU

ramdaspr · ‎03-08-2015

++ simpler solution.

When i read the docs, it says "Specify the number of results to sort. " so I assumed only the first 3 events would be used but it should says "Specify the number of sorted results to return" instead.

HattrickNZ · ‎03-10-2015

tks all, the one below by ramdaspr works also.

How to control the number of top results shown from a search in Splunk 6.1.2?

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

Preparing your Splunk Environment for OpenSSL3

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector