Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What does the "percent" column of top limit search represents?

christopheryu
Communicator
‎09-26-2016 08:48 AM

This is a pretty basic question but seems like something is amiss with the result I am getting. My search is as follows:

index=xyz sourcetype=JUNIPER LSP_DOWN | top limit=10 ROUTER

search result:

20,000 events

ROUTER count percent
routerx 1887 11.08
routery 1386 8.14

Obviously 1887 is not 11.08% of 20,000 so what exactly does the 11.08 percent represents?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-26-2016 08:53 AM

The percent here represent the percent contribution of the particular ROUTER to the total count of events. So if the index=xyz sourcetype=JUNIPER LSP_DOWN returns N events, routerx has 1887 counts out of it and 1887 is 11.08 percent of N.

If you're seeing a discrepancy in count, it may be due to the fact that ROUTER field is not available in all the events. I would suggest to run this and compare the result (ensures to select only the events which has field ROUTER available)

index=xyz sourcetype=JUNIPER ROUTER=* LSP_DOWN | top limit=10 ROUTER

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-26-2016 08:53 AM

The percent here represent the percent contribution of the particular ROUTER to the total count of events. So if the index=xyz sourcetype=JUNIPER LSP_DOWN returns N events, routerx has 1887 counts out of it and 1887 is 11.08 percent of N.

If you're seeing a discrepancy in count, it may be due to the fact that ROUTER field is not available in all the events. I would suggest to run this and compare the result (ensures to select only the events which has field ROUTER available)

index=xyz sourcetype=JUNIPER ROUTER=* LSP_DOWN | top limit=10 ROUTER
Reply
Solved! Jump to solution

christopheryu
Communicator
‎09-26-2016 09:08 AM

Holy cow all this time I've been using top limit incorrectly 😞 Thank you for the info. My mistake being a newbie is relying solely on an example shown in splunk documentation without analyzing the data.

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...