Splunk Search

Remove top from results

rhum_defintel
New Member

I want to remove the top results from my final results. Essentially, removing outliers.

Tags (2)
0 Karma

altink
Builder

Hello

is there any development on this ?

remove top x rows from result

best regards
Altin

0 Karma

devin_stonecyph
Explorer

landen99
Motivator

search | sort -field1 | head 20

0 Karma

yannK
Splunk Employee
Splunk Employee

if you want to filter the highest values, you can use a where condition, or an eval to normalize it.

example :

sourcetype=mysourcetype | where myfield < 100 | timechart max(myfield) by host

sourcetype=mysourcetype | eval myfield=if(myfield<100,myfield,0) | timechart max(myfield) by host

0 Karma

landen99
Motivator

grabs bottom 20 results

0 Karma

rhum_defintel
New Member

I want to remove the results that are listed in top.

0 Karma

Ayn
Legend

For getting the most common values there's top (http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Top ).

For getting the most rare values, rare (http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rare ).

There's also a number of statistical functions available that might be suitable for you to use: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonStatsFunctions

0 Karma

rhum_defintel
New Member

I have a timechart that has spikes of data. I would like to remove those spikes so I can calculate an average.

0 Karma

Ayn
Legend

Give more details on what you want to achieve, preferrably with some sample events so we know more about how to solve the problem.

0 Karma
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...