Splunk Search

How to limit my search to return only the top 10 results based on the following search queries ?

Communicator

I am using these search queries and I want to restrict the search to return only the top ten results.

How to do it ?

The search queries I am using are :

sourcetype="access" |eval bandwidth=round(bytessent/1024,2)| stats sum(bandwidth) BY clientip

sourcetype="access" | eval bandwidth=round(bytes_sent/1024,2)|stats sum(bandwidth) BY URL

Thanks...

Tags (2)
1 Solution

Motivator

Try this:

your_query | sort - sum(bandwidth) | head 10

you may want to name your field "bandwidth" as follow:

sourcetype="access" | stats sum(bytes_sent) as bandwidth BY client_ip | eval bandwidth=round(bandwidth/1024,2)  | sort - bandwidth | head 10

sourcetype="access" | stats sum(bytes_sent) as bandwidth BY URL | sort - bandwidth | eval bandwidth=round(bandwidth/1024,2) | head 10

Lp

View solution in original post

Splunk Employee
Splunk Employee

You may want to use top for this.

http://docs.splunk.com/Documentation/Splunk/4.3.2/SearchReference/Top

sourcetype="access" |eval bandwidth=round(bytes_sent/1024,2)| stats sum(bandwidth) as total_bandwidth | top limit=10 total_bandwidth by client_ip

sourcetype="access" | eval bandwidth=round(bytes_sent/1024,2)|stats sum(bandwidth) as total_bandwidth | top limit=10 total_bandwidth by URL

Hope that helps.

0 Karma

Influencer

The question kind-of indicates the 10 greatest values.

Splunk Employee
Splunk Employee

If you just want the greatest values and not the top 10 just sort it in descending order.

Influencer

This is actually incorrect. The top command will deliver the most common values, not the greatest ones.

Motivator

Try this:

your_query | sort - sum(bandwidth) | head 10

you may want to name your field "bandwidth" as follow:

sourcetype="access" | stats sum(bytes_sent) as bandwidth BY client_ip | eval bandwidth=round(bandwidth/1024,2)  | sort - bandwidth | head 10

sourcetype="access" | stats sum(bytes_sent) as bandwidth BY URL | sort - bandwidth | eval bandwidth=round(bandwidth/1024,2) | head 10

Lp

View solution in original post

Communicator

Thanks a lot for your replies.. "head" works ...

0 Karma

Influencer

I've slightly changed the search to do the "round" after the aggregation. This is better because it reduces the rounding error.

0 Karma

Influencer

But that's probably the most reasonable result for the question.

0 Karma

Splunk Employee
Splunk Employee

The head command will give you the first 10 results whereas the top command will give you the most common values of a particular field.

0 Karma

Contributor

Why they have used sort - bandwidth there ..can u please explain me

0 Karma

SplunkTrust
SplunkTrust

from the docs about sort http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/Sort :

Description: List of fields to sort by and their order, descending ( - ) or ascending ( + ).
0 Karma

Contributor

yah.!!
Got it. Thank you. 🙂

0 Karma