Solved: How to get the top 10 values using timechart? - Page 2

dbcase · ‎01-19-2018

Hi,

I have this query and it works just fine

index=blah1 OR index=blah2 OR index=blah3 host=*media* "/fileUpload/image" |rex "(?<ip>(?:[0-9]{1,3}\.){3}[0-9]{1,3})[\s,]"|eval index=if(index="blah3","beta",index)|eval ii=index+" - "+ip|timechart  usenull=f count by ii |sort -count

What I'd like to have the time chart do is capture the top 10 ii values from the eval command.

Any thoughts?

mayurr98 · ‎01-19-2018

hey you can try something like this

 index=blah1 OR index=blah2 OR index=blah3 host=*media* "/fileUpload/image" |rex "(?<ip>(?:[0-9]{1,3}\.){3}[0-9]{1,3})[\s,]"|eval index=if(index="blah3","beta",index)|eval ii=index+" - "+ip|timechart  usenull=f count by ii where max in top10

max in top10 means top 10 ii values
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timechart#Where_clause_Examples

let me know if this helps!

View solution in original post

How to get the top 10 values using timechart?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!