Splunk Search

How to get the sourcetype count by each source top 10 events counts

harishsplunk7
Explorer

I need to get the  sourcetype count by each source top 10 events counts in splunk

Example : 

I have 3 sourcetype and sending data from different sources, 

sourcetype A - a,b,c,d,e

sourcetype B -a,b,c,d,e

sourcetype C -a,b,c,d,e

Now, I need to display top 10 event count by each source by sourcetype

0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| stats count by sourcetype source
| sort 0 sourcetype -count
| streamstats count as rank by sourcetype
| where rank <= 10

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
| stats count by sourcetype source
| sort 0 sourcetype -count
| streamstats count as rank by sourcetype
| where rank <= 10

harishsplunk7
Explorer

Thank you so much!!!

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Can you elaborate what you are looking for?  Maybe illustrate what the end result looks like, and explain what each box means.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...