- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to count top results in each column?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to count top results in each column?
Hi everyone,
Trying to find out the top 10 values from different host long_message index functionality..
So tried like index=* "error" OR "FAIL" OR "fatal"| stats values (functionality) values(correlatioid) values(loan_num) values(host) count by log_message | sort -count
So it is showing top errors with functionality host loan_num details for each and every error.
My requirement is i want achieve top errors count from particular host or fuctionality..
It is showing like
Functionality:
Abc
Xyz
123
Let's say If the Abc functionality has more errors.. in the table it should give the count of Abc along with percentage among all the obtained errors..
Like this..
Functionality:
Abc- 109 98% amoung
Xyz - 1 1%
123 1 1%
Any suggestions?
Similarly i want see the top errors causing from different sources..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
your query:
index=* "error" OR "FAIL" OR "fatal"
| stats values(functionality) values(correlatioid) values(loan_num) values(host) count by log_message
| sort - count
Simply:
index=* "error" OR "FAIL" OR "fatal"
| top functionality
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how it will show the count for each row in functionality column?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can we compare these values by log messages?
Let's say there is an error 501..
I need table like this..
Log_message. Functionality: host:
Error-501 abc 98 98%. Bjk500. 70 70%
Xyz 01 1%. Bjk400. 20 20%
123 01 1%. Bjk300. 10 10%
Like that we want correlate all sources with the specifyerror..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't know the details of your logs.
so , I can't create query.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
New in Observability Cloud - Explicit Bucket Histograms
