Solved: What's the difference between using "By" and havin...

hollybross1219 · ‎01-24-2020

Don't have a specific example, but would like to understand for my education.

For example, I don't understand what COULD be the difference between listing two fields in the top command versus using the "by" clause. See the following basic examples:

index=sales sourcetype=vendor_sales
| top vendor product name
vs.
index=sales sourcetype=vendor_sales |
top vendor by product name

13tsavage · ‎01-24-2020

The answer to your question can be found from this Accepted Answer in Splunk Answers.

https://answers.splunk.com/answers/243063/when-you-feed-multiple-field-names-to-the-top-comm.html

View solution in original post

13tsavage · ‎01-24-2020

The answer to your question can be found from this Accepted Answer in Splunk Answers.

https://answers.splunk.com/answers/243063/when-you-feed-multiple-field-names-to-the-top-comm.html

13tsavage · ‎01-24-2020

I think this old post can help answer your question.

Answer

richgalloway · ‎01-24-2020

Have you looked at the examples in the docs?

---
If this reply helps you, Karma would be appreciated.

What's the difference between using "By" and having another field in top command?

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)