Splunk Search

What is the syntax for finding top value of some field and increasing the limit?

Champion

index="whatever" INFECTION | top limit="15" misc by src

When I attempt this search, the limit qualifier seems to be ignored:

It does not limit, even to 100 results.

Tags (2)
0 Karma
1 Solution

Champion

The default limit for top is 10. To override the limit, you'll want to add the limit=N (where N is the new limit) between your field (or field-list) and by-clause:

index="whatever" INFECTION | top misc limit=100 by src

View solution in original post

0 Karma

Explorer

Hi, The_Wolverine...

This does not work for me, regardless of search string or index. Could it possibly be bugged?

When I do:

index="blah" search search2 | top var limit=25 by var2

I get 65 results in my list, not 25. We are running version 4.0.11, build 79031.

0 Karma

Explorer

So my understanding is, limit number of field1, with no limit of combinations with field2.

That would make sense, but I am getting more than the limit number of field1? Is it impossible to decrease the limit below 10?

0 Karma

Champion

I'm not sure if your understanding of "limit" vs. "results" is correct here. The limit is based on var field. It does not limit the result/event count.

0 Karma

Champion

The default limit for top is 10. To override the limit, you'll want to add the limit=N (where N is the new limit) between your field (or field-list) and by-clause:

index="whatever" INFECTION | top misc limit=100 by src

View solution in original post

0 Karma