Splunk Search

How to get the head K of each index in a Splunk search?

lys1030
Explorer

My stats contain an entry called "index". How to get the head K of each index type? For example I want the top 10 in index=a, plus the top 10 in index=b, etc.

Tags (4)
0 Karma

woodcock
Esteemed Legend

You need a thing to "top" by. For example, to see the top sourcetypes by index, do this:

index=* | top sourcetype by index
0 Karma

woodcock
Esteemed Legend

If you need the 10 most recent events by index, you can do this:

index=* | streamstats current=t count by index | where count<=10 | stats list(_raw) by index
0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...