Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to find top 10 hosts after a sort?

I-Man
Communicator
‎02-02-2011 06:22 PM

The following search will give the count of events by host and sort the hosts by count, highest to lowest.

index=summary source="SI Count By Host Every 10m" | stats count by orig_host | sort count

Now I just want to show the top 10 hosts based on their high count. Using the head command will show the first 10 hosts that are found and not the top 10 based on the count that i am trying to display. This seems easy enough but i cannot figure it out...

Feeling very noob right now, help is always appreciated.

Thanks, Iman

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

Genti
Splunk Employee
Splunk Employee
‎02-02-2011 06:41 PM

I think that's what you're looking for can be achieved by. 

index=summary source="SI Count By Host Every 10m" | top limit=10 orig_host

However, if you would like to use your search you could also achieve the same by: 

index=summary source="SI Count By Host Every 10m" | stats count by orig_host | sort limit=10 -count

.gz

View solution in original post

Reply
Solved! Jump to solution

renjujacob88
Path Finder
‎05-15-2017 08:33 PM

index=summary source="SI Count By Host Every 10m" | stats count by orig_host | sort 10 - count

0 Karma
Reply
Solved! Jump to solution

rameshyedurla
Explorer
‎01-21-2016 07:31 AM

try this
index=_internal source=*license_usage.log type="Usage" | stats sum(b) AS volume by h | eval GB=round(volume/1024/1024/1024,5) | table h GB | sort 10 - GB | rename h AS Host

Reply
Solved! Jump to solution

I-Man
Communicator
‎02-02-2011 06:59 PM

index=summary source="SI Count By Host Every 10m" | stats count by orig_host | sort -count | head 10

The above search finally worked for me. There was some kind of bug going on that when I clicked on the top of a column to sort via ascending/descending order, the sort -count OR sort +count would make no difference as the column properties take seemed to take precedence. Not sure why but this only happened when the head function was not present. Weird. Thank you anyways for the quick response Genti.

Reply
Solved! Jump to solution
Solution

Genti
Splunk Employee
Splunk Employee
‎02-02-2011 06:41 PM

I think that's what you're looking for can be achieved by. 

index=summary source="SI Count By Host Every 10m" | top limit=10 orig_host

However, if you would like to use your search you could also achieve the same by: 

index=summary source="SI Count By Host Every 10m" | stats count by orig_host | sort limit=10 -count

.gz

Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...