Solved: How to do this subsearch?

hjwang · ‎05-31-2011

Hi~there, i have logs containing "requestURL" and its "Category" per event. it's easy to count top 10 requestURL, and it displays the table containing "requestURL","count","percent" fileds. now if i wanna append one column named Category in each top 10 row. how can i do this search? or must use lookup table? thanks for your kind help 🙂

Ayn · ‎05-31-2011

Just add "Category" as a parameter to top:

<yourbasesearch> | top 10 requestURL,Category

This gives you the top 10 pairs of requestURL and Category, so if one requestURL would have different values for Category these would be split up, but I'm guessing that is not likely to happen in your logs.

View solution in original post

Ayn · ‎05-31-2011

Just add "Category" as a parameter to top:

<yourbasesearch> | top 10 requestURL,Category

This gives you the top 10 pairs of requestURL and Category, so if one requestURL would have different values for Category these would be split up, but I'm guessing that is not likely to happen in your logs.

hjwang · ‎05-31-2011

Thanks,Ayn. i thought top command just use only one field to caculate.i didn't expect it can do such thing.

How to do this subsearch?

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

How to do this subsearch?

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR