Solved: Re: extract top ten values

jip31jip31 · ‎04-09-2018

hi
i use this code
index="wineventlog" sourcetype="wineventlog:" SourceName="" Type="Critique" OR Type="Avertissement" | dedup _time SourceName | table _time SourceName | stats count by SourceName

and i would like to keep only the ten important values
how to do it please???

kmaron · ‎04-09-2018

index="wineventlog" sourcetype="wineventlog:" SourceName="" Type="Critique" OR Type="Avertissement" 
| dedup _time SourceName 
| table _time SourceName 
| stats count by SourceName
| sort - count limit=10

Sort by the field you want the top 10 of. (I used your count)
Then set limit= for how many you want to keep.

View solution in original post

tpeveler_splunk · ‎04-09-2018

Hello,

The most straight forward way to handle this would be to use the top command.

A couple of things to note. You'll want to wildcard your sourcetype so that you do indeed pickup the wineventlog sourcetypes (i.e. sourcetype="wineventlog:*"). In addition, you'll want to wrap the OR condition on the Type fields in parenthesis as such (Type="Critique" OR Type="Avertissement")

SPL...

index="wineventlog" sourcetype="wineventlog:*" SourceName="" (Type="Critique" OR Type="Avertissement")
| dedup _time SourceName
| top limit=10 SourceName

kmaron · ‎04-09-2018

index="wineventlog" sourcetype="wineventlog:" SourceName="" Type="Critique" OR Type="Avertissement" 
| dedup _time SourceName 
| table _time SourceName 
| stats count by SourceName
| sort - count limit=10

Sort by the field you want the top 10 of. (I used your count)
Then set limit= for how many you want to keep.

adonio · ‎04-09-2018

use the top command? ... | top limit=10 SourceName
or maybe sort command ... | sort 10 - count

extract top ten values

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?