Solved: Re: how can I create a top 5 list of multiple valu... - Page 2

heybails88 · ‎01-15-2018

I have an index from a forwarder that looks something like this:
"index=indexname DEBUG Rule="Rule One" OR "Rule Two" OR "Rule Three" etc."
I'd like to build a summary of all the Rules that come in via the log that is being read by the forwarder. Something like a top 5 summary of Rules that came out. I've tried to parse through a lookup table, but that didn't do what I wanted. Having difficulty with something that should be pretty easy.

heybails88 · ‎02-06-2018

Ultimately what I needed was a regex extraction called "matched" which looked like this

matched\s(?P.*)

This added the events that came from log on the forwarder. Then create the top 5.

index=index matched=* |stats count by matched |sort - count

View solution in original post

mayurr98 · ‎01-16-2018

Yes that is also will do.

somesoni2 · ‎01-15-2018

You need to define the rule based on which you want to find the top 5 rules. Example, if you want to find out top 5 Rule based on number of events, you can do like this

index=indexname DEBUG Rule="Rule One" OR Rule="Rule Two" OR Rule="Rule Three"...all rules that you're interested in..
| top 5 Rule

heybails88 · ‎01-16-2018

Thanks for the info. A lookup table is what I need, which I had defined, but it wasn't right. However, I still need something else.

how can I create a top 5 list of multiple values from one source

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!