Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to sort a report to give me top 20 MAX values?

sraguan
Explorer
‎05-13-2015 10:37 AM

I have a report that showing me the top 20 of field called "sc_bytes" (By count),

> > source="xap.csv" | top limit=20 sc_bytes

So this is what I get:

sc_bytes cs_uri_stem Count percent
992 /messagebroker/amfpolling.wlforward 433769 16.32443
1245 /messagebroker/amfpolling.wlforward 72714 14.026691
276 /messagebroker/amfpolling.wlforward 217028 8.167615
927 /messagebroker/amfpolling.wlforward 119193 4.4857

but I want to see the top 20 of field called "sc_bytes" By the MAXIMUM value of the field itself and not by count.
So it will look like this:

sc_bytes cs_uri_stem Count percent
1245 /messagebroker/amfpolling.wlforward 72714 14.026691
992 /messagebroker/amfpolling.wlforward 433769 16.32443
927 /messagebroker/amfpolling.wlforward 119193 4.4857
276 /messagebroker/amfpolling.wlforward 217028 8.167615

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

sraguan
Explorer
‎05-14-2015 04:10 AM

got it:

source="xap.csv"  | fields sc_bytes | sort -sc_bytes  | head 20| top limit=20 sc_bytes

View solution in original post

Reply
Solved! Jump to solution
Solution

sraguan
Explorer
‎05-14-2015 04:10 AM

got it:

source="xap.csv"  | fields sc_bytes | sort -sc_bytes  | head 20| top limit=20 sc_bytes
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-13-2015 11:00 AM

It looks like your second example is just a re-sort of your first example. If that's all you need then add a sort to your search: source="xap.csv" | top limit=20 sc_bytes | sort -sc_bytes

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

sraguan
Explorer
‎05-14-2015 12:12 AM

Thanks @richgalloway ,
the sort really did sorted the top 20 but I have 2 million events in this search and he sorted the top 20 that had the highest count.
I want to sort the top 20 events that has the highest (MAX) sc_bytes.

0 Karma
Reply
Solved! Jump to solution

esix_splunk
Splunk Employee
Splunk Employee
‎05-14-2015 01:15 AM

This perhaps?

.... | stats count max(sc_bytes) as max | top limit=20 max

0 Karma
Reply
Solved! Jump to solution

sraguan
Explorer
‎05-14-2015 01:33 AM

@esix_splunk,
I tried what you suggested but stat max only give you 1 value which is the highest one,
it can't give you multiple values (20) like I want.

0 Karma
Reply
Solved! Jump to solution

esix_splunk
Splunk Employee
Splunk Employee
‎05-14-2015 01:41 AM

Yes, need to group this by something. Such as host, interface, etc..

0 Karma
Reply
Solved! Jump to solution

sraguan
Explorer
‎05-14-2015 01:51 AM

I'm not sure i'm getting what you are saying (newbie in splunk),
is there a group command?
or even better - can you please write the search query that can give me the output that I want?

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...