Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to create a top 5 of results and a bin for the rest of them (sorted stack bars)

wsw70
Communicator
‎09-24-2013 05:52 AM

Hi,

Now that I know, thanks to R.Turk, how to sort stacked bar charts I wanted to pick a top 5 of the results. This works fine by adding a | head 5 to the search.

Is there a way to gather all the other events (the ones which did not make it to the top 5) in a separate bar called "others" (or whatever)?

Thanks!

Tags (3)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎09-24-2013 06:58 AM

Could this be of use? top has a useother parameter that can be used to bunch the remaining events together into OTHER, like so;

sourcetype=access_combined | top 5 clientip useother=t

/K

0 Karma
Reply

wsw70
Communicator
‎09-24-2013 10:47 PM

Sorry, I was not clear enough when referring to the previous post on sorting bar charts. The search over there was

<base search>
| chart count over N_vendor by N_subnetname
| addtotals fieldname=total
| sort -total
| fields - total

so total is indeed defined.

0 Karma
Reply

kristian_kolb
Ultra Champion
‎09-24-2013 01:01 PM

eeh you need to do top 5 something. Is total a field that exists in some/most/all of your events?

You know that top is not the same as max? top will look at the frequency of values for the specified field, not whether a value is higher than another.

/K

0 Karma
Reply

wsw70
Communicator
‎09-24-2013 07:07 AM

This does not work, unfortunately. Even a plain top 5 total returns empty results.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...