Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to count top results in each column?

marisstella
Explorer
‎02-10-2020 03:47 AM

Hi everyone,
Trying to find out the top 10 values from different host long_message index functionality..
So tried like index=* "error" OR "FAIL" OR "fatal"| stats values (functionality) values(correlatioid) values(loan_num) values(host) count by log_message | sort -count

So it is showing top errors with functionality host loan_num details for each and every error.
My requirement is i want achieve top errors count from particular host or fuctionality..
It is showing like
Functionality:
Abc
Xyz
123
Let's say If the Abc functionality has more errors.. in the table it should give the count of Abc along with percentage among all the obtained errors..
Like this..
Functionality:
Abc- 109 98% amoung
Xyz - 1 1%
123 1 1%

Any suggestions?
Similarly i want see the top errors causing from different sources..

0 Karma
Reply

to4kawa
Ultra Champion
‎02-10-2020 04:35 AM

your query:

 index=* "error" OR "FAIL" OR "fatal"
| stats values(functionality) values(correlatioid) values(loan_num) values(host) count by log_message 
| sort - count

Simply:

 index=* "error" OR "FAIL" OR "fatal"
| top functionality
0 Karma
Reply

marisstella
Explorer
‎02-10-2020 04:54 AM

how it will show the count for each row in functionality column?

0 Karma
Reply

to4kawa
Ultra Champion
‎02-10-2020 05:05 AM

the result of top is like below

functionality count percent
Abc                109     98%
Xyz                  1      1%
123                  1      1%

cf. top

0 Karma
Reply

marisstella
Explorer
‎02-10-2020 05:55 AM

How can we compare these values by log messages?
Let's say there is an error 501..
I need table like this..

Log_message. Functionality: host:

Error-501 abc 98 98%. Bjk500. 70 70%
Xyz 01 1%. Bjk400. 20 20%
123 01 1%. Bjk300. 10 10%

Like that we want correlate all sources with the specifyerror..

0 Karma
Reply

to4kawa
Ultra Champion
‎02-10-2020 06:08 AM

I don't know the details of your logs.
so , I can't create query.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...