I am using these search queries and I want to restrict the search to return only the top ten results.
How to do it ?
The search queries I am using are :
sourcetype="access" |eval bandwidth=round(bytes_sent/1024,2)| stats sum(bandwidth) BY client_ip
sourcetype="access" | eval bandwidth=round(bytes_sent/1024,2)|stats sum(bandwidth) BY URL
Thanks...
Try this:
your_query | sort - sum(bandwidth) | head 10
you may want to name your field "bandwidth" as follow:
sourcetype="access" | stats sum(bytes_sent) as bandwidth BY client_ip | eval bandwidth=round(bandwidth/1024,2) | sort - bandwidth | head 10
sourcetype="access" | stats sum(bytes_sent) as bandwidth BY URL | sort - bandwidth | eval bandwidth=round(bandwidth/1024,2) | head 10
Lp
The usage of sort is fine if the number of items is not too large. To sort a large number of items is time consuming, and there is a limit in Splunk. Because of the limit, the attempt to sort the items and then to select the first 10 items might end in a wrong result.
In order to avoid this, I filter all items above/below a limit that is specific to the problem. For instance, 50 000 records are processed, more than 49 000 records are processed within 2 seconds, but there are a few records for which the processing takes more time. So I set the limit to 2 seconds.
However, if there are just a few records, e.g., 10, then it might be the case that the list of Top 10 results is empty because all of them are below the limit of 2 seconds.
You may want to use top for this.
http://docs.splunk.com/Documentation/Splunk/4.3.2/SearchReference/Top
sourcetype="access" |eval bandwidth=round(bytes_sent/1024,2)| stats sum(bandwidth) as total_bandwidth | top limit=10 total_bandwidth by client_ip
sourcetype="access" | eval bandwidth=round(bytes_sent/1024,2)|stats sum(bandwidth) as total_bandwidth | top limit=10 total_bandwidth by URL
Hope that helps.
The question kind-of indicates the 10 greatest values.
If you just want the greatest values and not the top 10 just sort it in descending order.
This is actually incorrect. The top command will deliver the most common values, not the greatest ones.
Try this:
your_query | sort - sum(bandwidth) | head 10
you may want to name your field "bandwidth" as follow:
sourcetype="access" | stats sum(bytes_sent) as bandwidth BY client_ip | eval bandwidth=round(bandwidth/1024,2) | sort - bandwidth | head 10
sourcetype="access" | stats sum(bytes_sent) as bandwidth BY URL | sort - bandwidth | eval bandwidth=round(bandwidth/1024,2) | head 10
Lp
Thanks a lot for your replies.. "head" works ...
I've slightly changed the search to do the "round" after the aggregation. This is better because it reduces the rounding error.
But that's probably the most reasonable result for the question.
The head command will give you the first 10 results whereas the top command will give you the most common values of a particular field.
Why they have used sort - bandwidth there ..can u please explain me
from the docs about sort
http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/Sort :
Description: List of fields to sort by and their order, descending ( - ) or ascending ( + ).
yah.!!
Got it. Thank you. 🙂