Splunk Search

Not able to limit the no of entries in search result

Path Finder

Hi All,

I have been writing some search queries and now i have written a search query for which im getting a no of entries.

By requirement is that i need to limit the no of search results which i'm getting.

The search query is as follow:

(XXXXXX OR XXXXXXX) | rex "for [\w\d\-\.]+:(?<src_ip>\d+\.\d+\.\d+\.\d+)/(?<src_port>\d+)\s+to\s+[\w\d\-\.]+:(?<dest_ip>\d+\.\d+\.\d+\.\d+)/(?<dest_port>\d+)" | rex "bytes\s+(?<bytes>\d+)" | eval mbytes= round((bytes/1024/1024),3) | top limit=15 mbytes by dest_ip | rename mbytes as "Total MBytes", dest_ip as "Destination Address" | fields - percent, - count  | sort -"Total MBytes" | addcoltotals "Total MBytes" labelfield="Destination Address" label=Total

I have used a "top limit=15" in the search query, but though i receive a search result of 450+.

I also tried using "stats sum(mbytes)" but was not able to limit the search result.

Please let me know if I'am missing anything in the above query or is there any other way to achieve this?

Also please let me know how can i convert the same into a chart.

I know i can just click on the graph icon and convert it into a chart , but if you can provide the exact chart command it will be more useful.

Thanks in Adavance
Prasanna

0 Karma

Communicator

Hi,

I would suggest using the following modified query.

(XXXXXX OR XXXXXXX) | rex "for [\w\d\-\.]+:(?<src_ip>\d+\.\d+\.\d+\.\d+)/(?<src_port>\d+)\s+to\s+[\w\d\-\.]+:(?<dest_ip>\d+\.\d+\.\d+\.\d+)/(?<dest_port>\d+)" | rex "bytes\s+(?<bytes>\d+)" | eval mbytes= round((bytes/1024/1024),3) | table dest_ip, mbytes | sort -mbytes | head 15 | rename mbytes as "Total MBytes", dest_ip as "Destination Address"

This will help in getting the data in tabular form as you want. I haven't tried this but I feel that the search results in tabular format can be directly converted into chart also.

Let me know if it works for you.

Regards,
Amit Saxena

0 Karma

Legend

The reason you're getting more than 15 results is that you're doing top limit=15 BUT also by dest_ip, which tells top to grab each dest_ip's top 15 mbytes values. Depending on what you actually want you might instead want to do something like top 1 mbytes by dest_ip | sort - mbytes to get the IP's with the highest mbytes values, and then do | head 15 to only get the first 15.

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!