Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Newbie question - top(field1) by field2?

kylar
Engager
‎11-04-2013 10:04 AM

I have a large log of items that come from different machines. Each machine generates some set of errors. I want to see the top 10 errors for each machine.

in my mental splunk-pseudocode, I thought something like this:

machine="linux6.*" error="*Exception" | top (error) by machine

would produce:

linux6.1 NullPointerException     7699
linux6.1 InvalidArgumentException 7102
linux6.2 NullPointerException     909
linux6.2 InvalidArgumentException 1019

I'm really new to splunk, please help!

Tags (1)
0 Karma
Reply

lukejadamec
Super Champion
‎11-04-2013 10:11 AM

Try:

top machine,error
0 Karma
Reply

_d_
Splunk Employee
Splunk Employee
‎11-04-2013 10:11 AM

machine="linux6.*" error="*Exception" | top error by machine

Reply

kylar
Engager
‎11-04-2013 10:14 AM

Ugh, it was just the parenthesis? I'm a moron 😞
Thanks!

Reply

rakesh_498115
Motivator
‎11-04-2013 10:10 AM

If error is the field , tat contains error messages..

your search | top error by machine

would give u top ten errors for each machine.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...