Splunk Search
Highlighted

Remove top from results

New Member

I want to remove the top results from my final results. Essentially, removing outliers.

Tags (2)
0 Karma
Highlighted

Re: Remove top from results

Legend

Give more details on what you want to achieve, preferrably with some sample events so we know more about how to solve the problem.

0 Karma
Highlighted

Re: Remove top from results

New Member

I have a timechart that has spikes of data. I would like to remove those spikes so I can calculate an average.

0 Karma
Highlighted

Re: Remove top from results

Legend

For getting the most common values there's top (http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Top ).

For getting the most rare values, rare (http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rare ).

There's also a number of statistical functions available that might be suitable for you to use: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonStatsFunctions

0 Karma
Highlighted

Re: Remove top from results

Splunk Employee
Splunk Employee

if you want to filter the highest values, you can use a where condition, or an eval to normalize it.

example :

sourcetype=mysourcetype | where myfield < 100 | timechart max(myfield) by host

sourcetype=mysourcetype | eval myfield=if(myfield<100,myfield,0) | timechart max(myfield) by host

0 Karma
Highlighted

Re: Remove top from results

New Member

I want to remove the results that are listed in top.

0 Karma
Highlighted

Re: Remove top from results

Motivator

grabs bottom 20 results

0 Karma
Highlighted

Re: Remove top from results

Motivator

search | sort -field1 | head 20

0 Karma
Highlighted

Re: Remove top from results

Highlighted

Re: Remove top from results

Contributor

Hello

is there any development on this ?

remove top x rows from result

best regards
Altin

0 Karma