Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What does the "percent" column of top limit search represents?

christopheryu
Communicator
‎09-26-2016 08:48 AM

This is a pretty basic question but seems like something is amiss with the result I am getting. My search is as follows:

index=xyz sourcetype=JUNIPER LSP_DOWN | top limit=10 ROUTER

search result:

20,000 events

ROUTER count percent
routerx 1887 11.08
routery 1386 8.14

Obviously 1887 is not 11.08% of 20,000 so what exactly does the 11.08 percent represents?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-26-2016 08:53 AM

The percent here represent the percent contribution of the particular ROUTER to the total count of events. So if the index=xyz sourcetype=JUNIPER LSP_DOWN returns N events, routerx has 1887 counts out of it and 1887 is 11.08 percent of N.

If you're seeing a discrepancy in count, it may be due to the fact that ROUTER field is not available in all the events. I would suggest to run this and compare the result (ensures to select only the events which has field ROUTER available)

index=xyz sourcetype=JUNIPER ROUTER=* LSP_DOWN | top limit=10 ROUTER

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-26-2016 08:53 AM

The percent here represent the percent contribution of the particular ROUTER to the total count of events. So if the index=xyz sourcetype=JUNIPER LSP_DOWN returns N events, routerx has 1887 counts out of it and 1887 is 11.08 percent of N.

If you're seeing a discrepancy in count, it may be due to the fact that ROUTER field is not available in all the events. I would suggest to run this and compare the result (ensures to select only the events which has field ROUTER available)

index=xyz sourcetype=JUNIPER ROUTER=* LSP_DOWN | top limit=10 ROUTER
Reply
Solved! Jump to solution

christopheryu
Communicator
‎09-26-2016 09:08 AM

Holy cow all this time I've been using top limit incorrectly 😞 Thank you for the info. My mistake being a newbie is relying solely on an example shown in splunk documentation without analyzing the data.

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...