Solved: Re: how to find most popular field over time ?

tariqazeem123 · ‎07-01-2019

i have data in default index "main" and has sourcetype "app" and field like program_name.

i want to find most popular programmes over time. can anybody please help me with this ?

snigdhasaxena · ‎07-02-2019

Hi @tariqazeem123 ,

There are 2 ways:
1. You can run your command and use sort command
index=main sourcetype=app | sort program_name by _time

2.You can use top command and you can limit it to no. of events you want

index=main sourcetype=app | top limit=0 program_name

snigdhasaxena · ‎07-02-2019

Hi @tariqazeem123 ,

There are 2 ways:
1. You can run your command and use sort command
index=main sourcetype=app | sort program_name by _time

2.You can use top command and you can limit it to no. of events you want

index=main sourcetype=app | top limit=0 program_name

amitm05 · ‎07-01-2019

Hi @tariqazeem123
You would like to use the top command for this -

index=main sourcetype=app| top limit=0 program_name

Let me know if there is more to your query. Thanks

how to find most popular field over time ?