Solved: Re: how can I create a top 5 list of multiple valu... - Page 2

heybails88 · ‎01-15-2018

I have an index from a forwarder that looks something like this:
"index=indexname DEBUG Rule="Rule One" OR "Rule Two" OR "Rule Three" etc."
I'd like to build a summary of all the Rules that come in via the log that is being read by the forwarder. Something like a top 5 summary of Rules that came out. I've tried to parse through a lookup table, but that didn't do what I wanted. Having difficulty with something that should be pretty easy.

heybails88 · ‎02-06-2018

Ultimately what I needed was a regex extraction called "matched" which looked like this

matched\s(?P.*)

This added the events that came from log on the forwarder. Then create the top 5.

index=index matched=* |stats count by matched |sort - count

View solution in original post

mayurr98 · ‎01-16-2018

Yes that is also will do.

somesoni2 · ‎01-15-2018

You need to define the rule based on which you want to find the top 5 rules. Example, if you want to find out top 5 Rule based on number of events, you can do like this

index=indexname DEBUG Rule="Rule One" OR Rule="Rule Two" OR Rule="Rule Three"...all rules that you're interested in..
| top 5 Rule

heybails88 · ‎01-16-2018

Thanks for the info. A lookup table is what I need, which I had defined, but it wasn't right. However, I still need something else.

how can I create a top 5 list of multiple values from one source

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!