Solved: How to limit the number of result lines from stats

kaurinko · ‎11-25-2016

Hi!

I have some data from which I would like a summary report with only the most active clients in the list. The search below does the trick except that it lists all the clients, but I would be happy with the first five lines of the result. I am not looking for a "lines per page" solution. I would simply like to cut the report after the first five (or so) lines.

index=myindex source=mysource SummaryLines
|  stats
count(eval(STATUS_CODE=1 OR STATUS_CODE=2)) AS "No token" 
count(eval(STATUS_CODE=3)) AS Timeout
count(eval(STATUS_CODE=4)) AS OK 
count AS Total 
by CLIENT
| sort -Total
| top limit=5 Total, OK, CLIENT, "No token", Timeout
| fields CLIENT, "No token", Timeout, OK, Total

Actually, the last two lines did not have any effect. I tried inserting

 | top limit=5 CLIENT

before the stats, but then I lost all details in the fields.

How should I do this?

sundareshr · ‎11-25-2016

Try this

 index=myindex source=mysource SummaryLines
 |  stats
 count(eval(STATUS_CODE=1 OR STATUS_CODE=2)) AS "No token" 
 count(eval(STATUS_CODE=3)) AS Timeout
 count(eval(STATUS_CODE=4)) AS OK 
 count AS Total 
 by CLIENT
 | sort 5 -Total

View solution in original post

sundareshr · ‎11-25-2016

Try this

 index=myindex source=mysource SummaryLines
 |  stats
 count(eval(STATUS_CODE=1 OR STATUS_CODE=2)) AS "No token" 
 count(eval(STATUS_CODE=3)) AS Timeout
 count(eval(STATUS_CODE=4)) AS OK 
 count AS Total 
 by CLIENT
 | sort 5 -Total

kaurinko · ‎11-25-2016

Well, that possibility never crossed my mind. It seems like I should do more thorough reading of the manuals. Thanks a lot!

How to limit the number of result lines from stats

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout