- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Remove top from results
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Remove top from results
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
is there any development on this ?
remove top x rows from result
best regards
Altin
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Look into the outlier command. http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/Outlier
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
search | sort -field1 | head 20
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if you want to filter the highest values, you can use a where condition, or an eval to normalize it.
example :
sourcetype=mysourcetype | where myfield < 100 | timechart max(myfield) by host
sourcetype=mysourcetype | eval myfield=if(myfield<100,myfield,0) | timechart max(myfield) by host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
grabs bottom 20 results
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to remove the results that are listed in top.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For getting the most common values there's top (http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Top ).
For getting the most rare values, rare (http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rare ).
There's also a number of statistical functions available that might be suitable for you to use: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonStatsFunctions
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a timechart that has spikes of data. I would like to remove those spikes so I can calculate an average.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give more details on what you want to achieve, preferrably with some sample events so we know more about how to solve the problem.
Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 2)
Index This | I am a number but I am countless. What am I?
What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience
