Splunk Search

show top 5 values in column chart

sarit_s
Communicator

Hello
im trying to show top 5 values in column chart
this is my query:

index="ssys_*_fdm"  pauseReason: NOT "pauseReason: NotPaused" pauseReason: NOT "pauseReason: UserPaused" 
| `Region`
| `pauseReason`
|`SerialNumber`
| top 5 pause_reason SerialNumber
| table pause_reason SerialNumber

but the chart is empty
removing the table returns me SerialNumber and count in the chart which i don't want
what am i doing wrong ?

Tags (1)
0 Karma
1 Solution

sarit_s
Communicator

thanks
i finally did it that way :

(index=ssys_*_fdm OR index=other_fdm) pauseReason: NOT "pauseReason: NotPaused" pauseReason: NOT "pauseReason: UserPaused" 
| pauseReason
| stats count by SerialNumber,pause_reason 
| eventstats sum(count) as total by SerialNumber
| sort - total
| streamstats dc(SerialNumber) as i
| where i<=5
| chart values(count) over SerialNumber by pause_reason

View solution in original post

sarit_s
Communicator

the 5 with the highest values per SerialNumber

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...