Splunk Search

extract top ten values

jip31jip31
Explorer

hi
i use this code
index="wineventlog" sourcetype="wineventlog:" SourceName="" Type="Critique" OR Type="Avertissement" | dedup _time SourceName | table _time SourceName | stats count by SourceName

and i would like to keep only the ten important values
how to do it please???

Tags (1)
0 Karma
1 Solution

kmaron
Motivator
index="wineventlog" sourcetype="wineventlog:" SourceName="" Type="Critique" OR Type="Avertissement" 
| dedup _time SourceName 
| table _time SourceName 
| stats count by SourceName
| sort - count limit=10

Sort by the field you want the top 10 of. (I used your count)
Then set limit= for how many you want to keep.

View solution in original post

tpeveler_splunk
Splunk Employee
Splunk Employee

Hello,

The most straight forward way to handle this would be to use the top command.

A couple of things to note. You'll want to wildcard your sourcetype so that you do indeed pickup the wineventlog sourcetypes (i.e. sourcetype="wineventlog:*"). In addition, you'll want to wrap the OR condition on the Type fields in parenthesis as such (Type="Critique" OR Type="Avertissement")

SPL...

index="wineventlog" sourcetype="wineventlog:*" SourceName="" (Type="Critique" OR Type="Avertissement")
| dedup _time SourceName
| top limit=10 SourceName

0 Karma

kmaron
Motivator
index="wineventlog" sourcetype="wineventlog:" SourceName="" Type="Critique" OR Type="Avertissement" 
| dedup _time SourceName 
| table _time SourceName 
| stats count by SourceName
| sort - count limit=10

Sort by the field you want the top 10 of. (I used your count)
Then set limit= for how many you want to keep.

adonio
Ultra Champion

use the top command? ... | top limit=10 SourceName
or maybe sort command ... | sort 10 - count

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...