This is a pretty basic question but seems like something is amiss with the result I am getting. My search is as follows:
index=xyz sourcetype=JUNIPER LSP_DOWN | top limit=10 ROUTER
search result:
20,000 events
ROUTER count percent
routerx 1887 11.08
routery 1386 8.14
Obviously 1887 is not 11.08% of 20,000 so what exactly does the 11.08 percent represents?
The percent here represent the percent contribution of the particular ROUTER to the total count of events. So if the index=xyz sourcetype=JUNIPER LSP_DOWN
returns N
events, routerx has 1887 counts out of it and 1887 is 11.08 percent of N
.
If you're seeing a discrepancy in count, it may be due to the fact that ROUTER field is not available in all the events. I would suggest to run this and compare the result (ensures to select only the events which has field ROUTER available)
index=xyz sourcetype=JUNIPER ROUTER=* LSP_DOWN | top limit=10 ROUTER
The percent here represent the percent contribution of the particular ROUTER to the total count of events. So if the index=xyz sourcetype=JUNIPER LSP_DOWN
returns N
events, routerx has 1887 counts out of it and 1887 is 11.08 percent of N
.
If you're seeing a discrepancy in count, it may be due to the fact that ROUTER field is not available in all the events. I would suggest to run this and compare the result (ensures to select only the events which has field ROUTER available)
index=xyz sourcetype=JUNIPER ROUTER=* LSP_DOWN | top limit=10 ROUTER
Holy cow all this time I've been using top limit incorrectly 😞 Thank you for the info. My mistake being a newbie is relying solely on an example shown in splunk documentation without analyzing the data.