Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to find top 10 hosts after a sort?

I-Man
Communicator
‎02-02-2011 06:22 PM

The following search will give the count of events by host and sort the hosts by count, highest to lowest.

index=summary source="SI Count By Host Every 10m" | stats count by orig_host | sort count

Now I just want to show the top 10 hosts based on their high count. Using the head command will show the first 10 hosts that are found and not the top 10 based on the count that i am trying to display. This seems easy enough but i cannot figure it out...

Feeling very noob right now, help is always appreciated.

Thanks, Iman

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

Genti
Splunk Employee
Splunk Employee
‎02-02-2011 06:41 PM

I think that's what you're looking for can be achieved by. 

index=summary source="SI Count By Host Every 10m" | top limit=10 orig_host

However, if you would like to use your search you could also achieve the same by: 

index=summary source="SI Count By Host Every 10m" | stats count by orig_host | sort limit=10 -count

.gz

View solution in original post

Reply
Solved! Jump to solution

renjujacob88
Path Finder
‎05-15-2017 08:33 PM

index=summary source="SI Count By Host Every 10m" | stats count by orig_host | sort 10 - count

0 Karma
Reply
Solved! Jump to solution

rameshyedurla
Explorer
‎01-21-2016 07:31 AM

try this
index=_internal source=*license_usage.log type="Usage" | stats sum(b) AS volume by h | eval GB=round(volume/1024/1024/1024,5) | table h GB | sort 10 - GB | rename h AS Host

Reply
Solved! Jump to solution

I-Man
Communicator
‎02-02-2011 06:59 PM

index=summary source="SI Count By Host Every 10m" | stats count by orig_host | sort -count | head 10

The above search finally worked for me. There was some kind of bug going on that when I clicked on the top of a column to sort via ascending/descending order, the sort -count OR sort +count would make no difference as the column properties take seemed to take precedence. Not sure why but this only happened when the head function was not present. Weird. Thank you anyways for the quick response Genti.

Reply
Solved! Jump to solution
Solution

Genti
Splunk Employee
Splunk Employee
‎02-02-2011 06:41 PM

I think that's what you're looking for can be achieved by. 

index=summary source="SI Count By Host Every 10m" | top limit=10 orig_host

However, if you would like to use your search you could also achieve the same by: 

index=summary source="SI Count By Host Every 10m" | stats count by orig_host | sort limit=10 -count

.gz

Reply
Get Updates on the Splunk Community!

Changes to Splunk Instructor-Led Training Completion Criteria

We’re excited to share an update to our instructor-led training program that enhances the learning experience ...

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

❄️ Welcome the new year with our January lineup of Community Office Hours, Tech Talks, and Webinars! 🎉 ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...