Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Limit to first 10 counts

Rajaion
Path Finder
‎01-02-2024 05:57 AM

Hello community,

I am having a problem displaying a graph. I have an index that contains incidents from several monitoring tools. I need to pull up a top 10 of the most recurring alerts (that's done).

However, on this top 10, I am asked for a graph to show the evolution of the number of errors in this top per week (in order to see for example when a fix has been deployed). And this is where I encounter a problem: in my query, I have my top 10 but I have an OTHER which brings together everything that is after the top 10:

Rajaion_0-1704203704535.png


Here is the query that causes this graph:

index=oncall_prod
| search routingKey != "routingdynatrace_cluster"
| dedup incidentNumber
| rename entityDisplayName as Service
| timechart span=1w count by Service 
| sort - count limit=10

 

I tried to use "head" or "top" to force the display of the first 10 results only but in the case of "head", it doesn't change anything, and in the case of "top", my screen remains empty.
I've searched the forum and it's often these two answers that come up but in my case, it doesn't work. Do you know how to remove the OTHER to only have the first 10 results in my graph?

Sincerely,

Rajaion

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dtburrows3
Builder
‎01-02-2024 06:03 AM

You can try 

| timechart span=1w useother=false limit=10 count by Service

 This should limit to only the top 10 and also discard any events that don't fall into the top 10.

View solution in original post

Reply
Solved! Jump to solution
Solution

dtburrows3
Builder
‎01-02-2024 06:03 AM

You can try 

| timechart span=1w useother=false limit=10 count by Service

 This should limit to only the top 10 and also discard any events that don't fall into the top 10.

Reply
Solved! Jump to solution

CJ117
Engager
‎01-21-2025 02:48 PM

How can this be used to find the last 10 events in chronological order? 

 

0 Karma
Reply
Solved! Jump to solution

Rajaion
Path Finder
‎01-02-2024 06:07 AM

Hello @dtburrows3,

I didn't know about this "useother" option, and it works, it's exactly what I was looking for:

Rajaion_0-1704204309989.png

 

Thank you very much for your help.

Sincerely,

Lionel M.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...