| eval totalCount = cCounter + lCounter
| eventstats max(totalCount) as maxTotal
| table id, time, message, cCounter, lCounter, totalCount
| sort -totalCount
Hi 😃 my current search command is as above.
How do I actually display only top 5 totalCount? I trying adding "top 5 totalCount", but does not work.
First of all I don't think that's your whole search?
Also, I don't know what you mean by top 5 - do you want to get just the first 5 results? In that case just add a | head 5
at the end and you should be done.
First of all I don't think that's your whole search?
Also, I don't know what you mean by top 5 - do you want to get just the first 5 results? In that case just add a | head 5
at the end and you should be done.