Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to limit my search to return only the top 10 events displaying count and percentage?

jalalallam
New Member
‎09-22-2014 10:27 AM

Hello,

I would like to create a search that select the top 10 events

Like this:

event count percent

[Mon Sep 22 17:14:36 2014] [error] [client XXX] File does not exist: /var/www/html/home-store 1000 30
[Mon Sep 22 15:53:37 2014] [error] [client XXX] Bean "Hits_Bean_List.__isset" does not support attrib 500 20

Any suggestions? Any idea is welcome.

Thanks

Tags (3)
0 Karma
Reply

ndoshi
Splunk Employee
Splunk Employee
‎09-22-2014 10:36 AM

First, if timestamp does not matter, you may want to extract a fields, say called raw, that has only the event. I'm assuming the pattern above are for all your events. Example props.conf

[Insert Name of your sourcetype]
EXTRACT-raw=^\[.*?\](?P<raw>.*)

Then, simply run the search:

sourcetype="Insert name of your sourcetype"|top raw limit=10

I'm not sure if this answers your question I don't know if all your events follow the pattern above. Nevertheless, the top command can get you there.

0 Karma
Reply

ndoshi
Splunk Employee
Splunk Employee
‎09-23-2014 02:03 PM

Sorry, I had two typos in there. Change that in props.conf to what is now listed in the answer.

You can use http://regex101.com/ to test a regex (remove the ?P in the test regex). BTW, you should put your props.conf in $SPLUNK_HOME/etc/apps/search/local/props.conf

Your search would be: sourcetype=splunk_web_service|top raw limit=10

This assumes that your source "/var/log/httpd/*-error_log" is indeed tied to this sourcetype.

0 Karma
Reply

jalalallam
New Member
‎09-23-2014 10:22 AM

Thank you for reply,

I tried to update the config file:
splubk/etc/apps/search/default/props.conf
[splunk_web_service]
EXTRACT-raw=^[.?](?.8)

And tried to search through the browser
source="/var/log/httpd/*-error_log" | top raw limit=10

but no luck:
No results found.

I want to find the top 10 raw repeated in any log file such as Apache error log.

Can you help me?

Thanks

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...