Hi all,
I am able to get top 10 values but with that I need to get others ( Those who are not in Top 10 ) in one value called other. So totally need 11 values. 10 are top 10 and other in one chart. any help please...
I have used sourcetype="Churn Data_CSV" Churn="True." | top limit=10 state for displaying top 10 values.
Regards,
Santhosh.
Try this:
sourcetype="Churn Data_CSV" Churn="True." | top limit=10 state useother=t
Read the docs at http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/Top#Optional_arguments. It says the following for useother
:
useother
Syntax: useother=<bool>
Description: Specify whether or not to add a row that represents all values not included due to the limit cutoff. Default is false.
Try this:
sourcetype="Churn Data_CSV" Churn="True." | top limit=10 state useother=t
Read the docs at http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/Top#Optional_arguments. It says the following for useother
:
useother
Syntax: useother=<bool>
Description: Specify whether or not to add a row that represents all values not included due to the limit cutoff. Default is false.
How to use that useother in this example sourcetype="Churn Data_CSV" Churn="True." | stats count(Churn) as "Churn Count" by state |sort - "Churn Count" |head 10
The top command by default will count the number of events with the field (or unique combinations when given multiple fields) and output the count into a new field called count
with another new field called percentage
. The search you have will only contain events that have the Churn
field equal to True.
, which means that a count of every event broken down by state
will provide the results you seem to want.
You can suppress the display of the percentage
field; rename the count
field; display a sorted list of largest to smallest of the highest counts for each state
; and include the OTHER
field (which can, also, be renamed) like this:
sourcetype="Churn Data_CSV" Churn="True." | top limit=10 countfield="Churn Count" showperc=f state useother=t
Does this produce your desired results?