Splunk Search

How to limit search results to * % of all results

kk2204
Explorer

I've got a search query which outputs 175 rows. I want it to output only top 5%. The row count will change over time so I cannot set a fixed int value. It needs to be dynamic.

0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust
<yoursearch>
| evenstats count as total
| streamstats count as current
| where current<=0.15*total

View solution in original post

FelixLeh
Contributor

You can either use the top command (https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Top

 

| top <your_field> limit=<your_choice>

 

OR
you can use sort and the use head

 

| sort - count 
| head <number_of_choice>

 

 If this is inside a dashboard you could create a token based on the amount of search results and input it as the number for head or top command.

0 Karma

kk2204
Explorer

I know that but with your solution I can only use integers such as 5,1,10 etc. I want to limit the results to a certain percentage of all possible results.

0 Karma

PickleRick
SplunkTrust
SplunkTrust
<yoursearch>
| evenstats count as total
| streamstats count as current
| where current<=0.15*total

FelixLeh
Contributor

Great Solution!
But there was a typo and it disregarded the amount of count.
Added a sort to your solution.

<your_search>
| stats count by user
| sort - count
| eventstats count as total
| streamstats count as current
| where current<=0.15*total
0 Karma

PickleRick
SplunkTrust
SplunkTrust

What is your way of sorting, groupping, ordering and so on is up to you. :slightly_smiling_face:

"My" part only did the limiting.

0 Karma

kk2204
Explorer

Thanks both of you guys!

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...