Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to write a search to exclude the top 10 or 15 error messages, but return the following top 10?

steeldol
Explorer
‎10-26-2015 05:11 AM

Currently, about 80 to 90 percent of errors logged within a specific index I'm monitoring is made up of the top 10 to 15 errors. These errors are logged daily and are pretty much noise. I have created a search to exclude each of these errors by using the != option, and then using the top limit=10 command to show me the next top 10. But as you can imagine, this isn't very efficient. Is there any other way that I can run a search that would show me the top 10 errors after excluding the current top 10 or 15 errors without having to manually define each error using the != option?

0 Karma
Reply

DalJeanis
Legend
‎08-23-2017 11:52 AM

Try this ....

 your search
 | stats count  as errorcount by myerror
 | sort 25 - errorcount
 | tail 15
 | reverse
0 Karma
Reply

mtranchita
Communicator
‎10-26-2015 06:05 AM

Why not try working with rare instead of top?
The command is intended to find the infrequent results.

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎10-26-2015 06:14 AM

I believe (and testing seems to confirm) that you can combine the two.

... | top 15 myerror | rare 5 myerror

Seems to do the right thing in that it first takes the top 15 myerrors, then displays the "least top" 5 of those (e.g. the rare ones). It does mess up your counts and that, but still, the list appears correct.

0 Karma
Reply

altink
Builder
‎08-22-2017 02:53 PM

didn't work for me

tried
| top 100 my-field-name | rare 99 my-field-name

for actually five records, but got all of them and not the first one (100-99) removed!
Put high number (100) because five records is not the max number, may be even 150

regards
Altin

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎08-23-2017 09:26 AM

I'm sorry, I should have said to use head and tail. You'll need to sort, but here's a run-anywhere..

index=_internal | stats count by component | sort - count | head 50 | tail 5

That should show you the 45th through 50th (or 45th through 49th?) items.

Does that work better?

Reply

altink
Builder
‎08-23-2017 11:11 AM

Yes, it did this way

thanks and regards
Altin

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...