Splunk Search

Time Chart Command Question

jason_hotchkiss
Communicator

I am reading:


The following section: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/timechart

limitSyntax: limit=(top | bottom) <int>Description: Specifies a limit for the number of distinct values of the split-by field to return. If set to limit=0, all distinct values are used. Setting limit=N or limit=top N keeps the N highest scoring distinct values of the split-by field. Setting limit=bottom N keeps the lowest scoring distinct values of the split-by field. All other values are grouped into 'OTHER', as long as useother is not set to false. The scoring is determined as follows:

  • If a single aggregation is specified, the score is based on the sum of the values in the aggregation for that split-by value. For example, for timechart avg(foo) BY <field>, the avg(foo) values are added up for each value of <field> to determine the scores.
  • If multiple aggregations are specified, the score is based on the frequency of each value of <field>. For example, for timechart avg(foo) max(bar) BY <field>, the top scoring values for <field> are the most common values of <field>.

Ties in scoring are broken lexicographically, based on the value of the split-by field. For example, 'BAR' takes precedence over 'bar', which takes precedence over 'foo'. See Usage.Default: top 10


When I try and create a timechart using the limit=top 25 the top is red and I receive the following error in Splunk:  Error in 'SearchProcessor': Invalid option value. Expecting a 'non-negative integer' for option 'limit'. Instead got 'top'.

Am I misusing or misinterpreting the documentation?

 

Labels (1)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Make sure the documentation matches the version you use.  The top/bottom settings weren't documented until 8.1.0 so they make not be available until that version (or later).  If the doc version matches your version of Splunk then consider opening a support request and submitting feedback on the docs page.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Make sure the documentation matches the version you use.  The top/bottom settings weren't documented until 8.1.0 so they make not be available until that version (or later).  If the doc version matches your version of Splunk then consider opening a support request and submitting feedback on the docs page.

---
If this reply helps you, Karma would be appreciated.

jason_hotchkiss
Communicator

Ahh. Ok.  I missed that.  We are on 8.0.3 for the time being.  Thanks for the sanity check.

0 Karma
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...