Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Time Chart Command Question

jason_hotchkiss
Communicator
‎07-20-2021 11:14 AM

I am reading:


The following section: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/timechart

limitSyntax: limit=(top | bottom) <int>Description: Specifies a limit for the number of distinct values of the split-by field to return. If set to limit=0, all distinct values are used. Setting limit=N or limit=top N keeps the N highest scoring distinct values of the split-by field. Setting limit=bottom N keeps the lowest scoring distinct values of the split-by field. All other values are grouped into 'OTHER', as long as useother is not set to false. The scoring is determined as follows:

  • If a single aggregation is specified, the score is based on the sum of the values in the aggregation for that split-by value. For example, for timechart avg(foo) BY <field>, the avg(foo) values are added up for each value of <field> to determine the scores.
  • If multiple aggregations are specified, the score is based on the frequency of each value of <field>. For example, for timechart avg(foo) max(bar) BY <field>, the top scoring values for <field> are the most common values of <field>.

Ties in scoring are broken lexicographically, based on the value of the split-by field. For example, 'BAR' takes precedence over 'bar', which takes precedence over 'foo'. See Usage.Default: top 10


When I try and create a timechart using the limit=top 25 the top is red and I receive the following error in Splunk:  Error in 'SearchProcessor': Invalid option value. Expecting a 'non-negative integer' for option 'limit'. Instead got 'top'.

Am I misusing or misinterpreting the documentation?

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-20-2021 12:18 PM

Make sure the documentation matches the version you use.  The top/bottom settings weren't documented until 8.1.0 so they make not be available until that version (or later).  If the doc version matches your version of Splunk then consider opening a support request and submitting feedback on the docs page.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-20-2021 12:18 PM

Make sure the documentation matches the version you use.  The top/bottom settings weren't documented until 8.1.0 so they make not be available until that version (or later).  If the doc version matches your version of Splunk then consider opening a support request and submitting feedback on the docs page.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

jason_hotchkiss
Communicator
‎07-20-2021 12:39 PM

Ahh. Ok.  I missed that.  We are on 8.0.3 for the time being.  Thanks for the sanity check.

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...