index="whatever" INFECTION | top limit="15" misc by src
When I attempt this search, the limit qualifier seems to be ignored:
It does not limit, even to 100 results.
The default limit for top is 10. To override the limit, you'll want to add the limit=N (where N is the new limit) between your field (or field-list) and by-clause:
index="whatever" INFECTION | top misc limit=100 by src
Hi, The_Wolverine...
This does not work for me, regardless of search string or index. Could it possibly be bugged?
When I do:
index="blah" search search2 | top var limit=25 by var2
I get 65 results in my list, not 25. We are running version 4.0.11, build 79031.
So my understanding is, limit number of field1, with no limit of combinations with field2.
That would make sense, but I am getting more than the limit number of field1? Is it impossible to decrease the limit below 10?
I'm not sure if your understanding of "limit" vs. "results" is correct here. The limit is based on var field. It does not limit the result/event count.
The default limit for top is 10. To override the limit, you'll want to add the limit=N (where N is the new limit) between your field (or field-list) and by-clause:
index="whatever" INFECTION | top misc limit=100 by src