Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What does the "percent" column of top limit search represents?

christopheryu
Communicator
‎09-26-2016 08:48 AM

This is a pretty basic question but seems like something is amiss with the result I am getting. My search is as follows:

index=xyz sourcetype=JUNIPER LSP_DOWN | top limit=10 ROUTER

search result:

20,000 events

ROUTER count percent
routerx 1887 11.08
routery 1386 8.14

Obviously 1887 is not 11.08% of 20,000 so what exactly does the 11.08 percent represents?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-26-2016 08:53 AM

The percent here represent the percent contribution of the particular ROUTER to the total count of events. So if the index=xyz sourcetype=JUNIPER LSP_DOWN returns N events, routerx has 1887 counts out of it and 1887 is 11.08 percent of N.

If you're seeing a discrepancy in count, it may be due to the fact that ROUTER field is not available in all the events. I would suggest to run this and compare the result (ensures to select only the events which has field ROUTER available)

index=xyz sourcetype=JUNIPER ROUTER=* LSP_DOWN | top limit=10 ROUTER

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-26-2016 08:53 AM

The percent here represent the percent contribution of the particular ROUTER to the total count of events. So if the index=xyz sourcetype=JUNIPER LSP_DOWN returns N events, routerx has 1887 counts out of it and 1887 is 11.08 percent of N.

If you're seeing a discrepancy in count, it may be due to the fact that ROUTER field is not available in all the events. I would suggest to run this and compare the result (ensures to select only the events which has field ROUTER available)

index=xyz sourcetype=JUNIPER ROUTER=* LSP_DOWN | top limit=10 ROUTER
Reply
Solved! Jump to solution

christopheryu
Communicator
‎09-26-2016 09:08 AM

Holy cow all this time I've been using top limit incorrectly 😞 Thank you for the info. My mistake being a newbie is relying solely on an example shown in splunk documentation without analyzing the data.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...