Splunk Search

Not able to limit the no of entries in search result

ppurokit
Path Finder

Hi All,

I have been writing some search queries and now i have written a search query for which im getting a no of entries.

By requirement is that i need to limit the no of search results which i'm getting.

The search query is as follow:

(XXXXXX OR XXXXXXX) | rex "for [\w\d\-\.]+:(?<src_ip>\d+\.\d+\.\d+\.\d+)/(?<src_port>\d+)\s+to\s+[\w\d\-\.]+:(?<dest_ip>\d+\.\d+\.\d+\.\d+)/(?<dest_port>\d+)" | rex "bytes\s+(?<bytes>\d+)" | eval mbytes= round((bytes/1024/1024),3) | top limit=15 mbytes by dest_ip | rename mbytes as "Total MBytes", dest_ip as "Destination Address" | fields - percent, - count  | sort -"Total MBytes" | addcoltotals "Total MBytes" labelfield="Destination Address" label=Total

I have used a "top limit=15" in the search query, but though i receive a search result of 450+.

I also tried using "stats sum(mbytes)" but was not able to limit the search result.

Please let me know if I'am missing anything in the above query or is there any other way to achieve this?

Also please let me know how can i convert the same into a chart.

I know i can just click on the graph icon and convert it into a chart , but if you can provide the exact chart command it will be more useful.

Thanks in Adavance
Prasanna

0 Karma

amit_saxena
Communicator

Hi,

I would suggest using the following modified query.

(XXXXXX OR XXXXXXX) | rex "for [\w\d\-\.]+:(?<src_ip>\d+\.\d+\.\d+\.\d+)/(?<src_port>\d+)\s+to\s+[\w\d\-\.]+:(?<dest_ip>\d+\.\d+\.\d+\.\d+)/(?<dest_port>\d+)" | rex "bytes\s+(?<bytes>\d+)" | eval mbytes= round((bytes/1024/1024),3) | table dest_ip, mbytes | sort -mbytes | head 15 | rename mbytes as "Total MBytes", dest_ip as "Destination Address"

This will help in getting the data in tabular form as you want. I haven't tried this but I feel that the search results in tabular format can be directly converted into chart also.

Let me know if it works for you.

Regards,
Amit Saxena

0 Karma

Ayn
Legend

The reason you're getting more than 15 results is that you're doing top limit=15 BUT also by dest_ip, which tells top to grab each dest_ip's top 15 mbytes values. Depending on what you actually want you might instead want to do something like top 1 mbytes by dest_ip | sort - mbytes to get the IP's with the highest mbytes values, and then do | head 15 to only get the first 15.

Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...