Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to limit my search to return only the top 10 events displaying count and percentage?

jalalallam
New Member
‎09-22-2014 10:27 AM

Hello,

I would like to create a search that select the top 10 events

Like this:

event count percent

[Mon Sep 22 17:14:36 2014] [error] [client XXX] File does not exist: /var/www/html/home-store 1000 30
[Mon Sep 22 15:53:37 2014] [error] [client XXX] Bean "Hits_Bean_List.__isset" does not support attrib 500 20

Any suggestions? Any idea is welcome.

Thanks

Tags (3)
0 Karma
Reply

ndoshi
Splunk Employee
Splunk Employee
‎09-22-2014 10:36 AM

First, if timestamp does not matter, you may want to extract a fields, say called raw, that has only the event. I'm assuming the pattern above are for all your events. Example props.conf

[Insert Name of your sourcetype]
EXTRACT-raw=^\[.*?\](?P<raw>.*)

Then, simply run the search:

sourcetype="Insert name of your sourcetype"|top raw limit=10

I'm not sure if this answers your question I don't know if all your events follow the pattern above. Nevertheless, the top command can get you there.

0 Karma
Reply

ndoshi
Splunk Employee
Splunk Employee
‎09-23-2014 02:03 PM

Sorry, I had two typos in there. Change that in props.conf to what is now listed in the answer.

You can use http://regex101.com/ to test a regex (remove the ?P in the test regex). BTW, you should put your props.conf in $SPLUNK_HOME/etc/apps/search/local/props.conf

Your search would be: sourcetype=splunk_web_service|top raw limit=10

This assumes that your source "/var/log/httpd/*-error_log" is indeed tied to this sourcetype.

0 Karma
Reply

jalalallam
New Member
‎09-23-2014 10:22 AM

Thank you for reply,

I tried to update the config file:
splubk/etc/apps/search/default/props.conf
[splunk_web_service]
EXTRACT-raw=^[.?](?.8)

And tried to search through the browser
source="/var/log/httpd/*-error_log" | top raw limit=10

but no luck:
No results found.

I want to find the top 10 raw repeated in any log file such as Apache error log.

Can you help me?

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...