Splunk Search

How to create a field value from a group of values in the same field?

diabinho
Explorer

I m trying to create a table were I want to display the 3 biggest values (count) from a field and the existing remain as "others". For example:

Field1 count
A 27
B 20
C 8
others 239

How do I achieve to create "others" ?

*Others=D, E,F, ... (total count of occurrences)

Thanks

0 Karma

diabinho
Explorer

I think I got it by applying |timechart span=5m limit=9 usenull=f useother=true count by ALPHABET
|fields + "A" "F" "G" "OTHER"

0 Karma

richgalloway
SplunkTrust
SplunkTrust

@diabinho If your problem is resolved, please accept an answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma

mayurr98
Super Champion

try this:

.. |top limit=3 Field1 useother=1 showperc=f

diabinho
Explorer

Thank you for the help but I posted my question wrongly, never the less your answer helped me with something else 🙂

What I really want is something like this:
alt text

Being A, F and G always there despite the number of counts, and OTHER are just the remaining ones. I know if I use limit=limit_number I get automatically OTHER but I cant see how to "stick" A, F and G there.

Any thoughts?

Thanks

0 Karma

diabinho
Explorer

Hello mayurr98,

It helped but it isn't what I was looking for but that's my bad, I didn't explain properly, never the less it helped me with something else.

Thanks

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...