Splunk Search
Highlighted

What does the "percent" column of top limit search represents?

Communicator

This is a pretty basic question but seems like something is amiss with the result I am getting. My search is as follows:

index=xyz sourcetype=JUNIPER LSP_DOWN | top limit=10 ROUTER

search result:

20,000 events

ROUTER count percent
routerx 1887 11.08
routery 1386 8.14

Obviously 1887 is not 11.08% of 20,000 so what exactly does the 11.08 percent represents?

Tags (2)
0 Karma
Highlighted

Re: What does the "percent" column of top limit search represents?

SplunkTrust
SplunkTrust

The percent here represent the percent contribution of the particular ROUTER to the total count of events. So if the index=xyz sourcetype=JUNIPER LSP_DOWN returns N events, routerx has 1887 counts out of it and 1887 is 11.08 percent of N.

If you're seeing a discrepancy in count, it may be due to the fact that ROUTER field is not available in all the events. I would suggest to run this and compare the result (ensures to select only the events which has field ROUTER available)

index=xyz sourcetype=JUNIPER ROUTER=* LSP_DOWN | top limit=10 ROUTER

View solution in original post

Highlighted

Re: What does the "percent" column of top limit search represents?

Communicator

Holy cow all this time I've been using top limit incorrectly 😞 Thank you for the info. My mistake being a newbie is relying solely on an example shown in splunk documentation without analyzing the data.

0 Karma