Solved: Use transforming command on all events

flow2k · ‎02-22-2018

In Searching, it looks like it is not possible to use a transforming command directly. For example, I would like find the most common host values across all events, so I do
top host

But this is not a valid query.

Would I really have to do
* | top host
Is this the preferred way to do what I want?

mayurr98 · ‎02-22-2018

Hey you can try something like this

index=* | top host

The above query will be much slower if you want to get results faster then you can try tstats command.

| tstats count where index=* by host | sort- count

Let me know if this helps!

View solution in original post

mayurr98 · ‎02-22-2018

Hey you can try something like this

index=* | top host

The above query will be much slower if you want to get results faster then you can try tstats command.

| tstats count where index=* by host | sort- count

Let me know if this helps!

Use transforming command on all events

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Join the Conversation