Splunk Search

Time Chart Command Question

jason_hotchkiss
Communicator

I am reading:


The following section: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/timechart

limitSyntax: limit=(top | bottom) <int>Description: Specifies a limit for the number of distinct values of the split-by field to return. If set to limit=0, all distinct values are used. Setting limit=N or limit=top N keeps the N highest scoring distinct values of the split-by field. Setting limit=bottom N keeps the lowest scoring distinct values of the split-by field. All other values are grouped into 'OTHER', as long as useother is not set to false. The scoring is determined as follows:

  • If a single aggregation is specified, the score is based on the sum of the values in the aggregation for that split-by value. For example, for timechart avg(foo) BY <field>, the avg(foo) values are added up for each value of <field> to determine the scores.
  • If multiple aggregations are specified, the score is based on the frequency of each value of <field>. For example, for timechart avg(foo) max(bar) BY <field>, the top scoring values for <field> are the most common values of <field>.

Ties in scoring are broken lexicographically, based on the value of the split-by field. For example, 'BAR' takes precedence over 'bar', which takes precedence over 'foo'. See Usage.Default: top 10


When I try and create a timechart using the limit=top 25 the top is red and I receive the following error in Splunk:  Error in 'SearchProcessor': Invalid option value. Expecting a 'non-negative integer' for option 'limit'. Instead got 'top'.

Am I misusing or misinterpreting the documentation?

 

Labels (1)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Make sure the documentation matches the version you use.  The top/bottom settings weren't documented until 8.1.0 so they make not be available until that version (or later).  If the doc version matches your version of Splunk then consider opening a support request and submitting feedback on the docs page.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Make sure the documentation matches the version you use.  The top/bottom settings weren't documented until 8.1.0 so they make not be available until that version (or later).  If the doc version matches your version of Splunk then consider opening a support request and submitting feedback on the docs page.

---
If this reply helps you, Karma would be appreciated.

jason_hotchkiss
Communicator

Ahh. Ok.  I missed that.  We are on 8.0.3 for the time being.  Thanks for the sanity check.

0 Karma
Get Updates on the Splunk Community!

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...