Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

timechart but only for the top 5

hartfoml
Motivator
‎02-28-2012 03:45 PM

I want to use timechart to show a graph of the progress of an item so I use this command

| timechart span=1w count by plugin

the problem is I have too many plugins. I want to limit the chart to only the top 5 plugin's over the time period

So something like this but this dosn't work

| timecart span=1w top 5 plugin

Anyone know how to use top with timechart ??

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎02-28-2012 04:37 PM 
| timecart span=1w limit=5 useother=f count by plugin

View solution in original post

Reply
Solved! Jump to solution

hartfoml
Motivator
‎02-28-2012 04:37 PM

I got it thanks the right syntax to use for this is

| timechart useother=F span=1w limit=5 count by plugin

this says to useother=false so that other is not on the chart and the limit is 5

0 Karma
Reply
Solved! Jump to solution

sbattista09
Contributor
‎01-19-2016 11:00 AM

would limit=5 show you the top 5 "plugin" or only limit it to some random 5 "plugins"? as in, would it show you the highest 5 counts of a "plugin"?

Reply
Solved! Jump to solution

msquicc
Path Finder
‎05-01-2025 06:45 AM

I know this is a pretty old post, but wanted to put this here for anyone else looking.  This has bothered me for some time.  

It seems timechart, as of some version, supports 3 limit options:

limit=N

limit=topN

limit=bottomN

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timechart

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎05-01-2025 09:28 AM

limit=N is the same as limit=topN

And the bottomN appeared in 8.1, which was several years ago 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎02-28-2012 04:37 PM 
| timecart span=1w limit=5 useother=f count by plugin
Reply
Solved! Jump to solution

hartfoml
Motivator
‎02-28-2012 04:38 PM

thanks you beet me to it

0 Karma
Reply
Solved! Jump to solution

kbrown9392
New Member
‎08-04-2017 07:19 AM

This does not seem to chart the top list, but a random list of 5. They are not the "top 5" in count, and not in order by count. How do we do that?

0 Karma
Reply
Solved! Jump to solution

imrago
Contributor
‎02-28-2012 04:33 PM

You could try to use subsearch:

http://docs.splunk.com/Documentation/Splunk/latest/User/HowSubsearchesWork

Something like this:

index=* [search index=* | stats count by plugin | sort - count | head 5 | fields + plugin] | timechart span=1w count by plugin

0 Karma
Reply
Solved! Jump to solution

hartfoml
Motivator
‎02-28-2012 04:38 PM

I'm going to try this to see how it comes out

0 Karma
Reply
Solved! Jump to solution

hartfoml
Motivator
‎02-28-2012 04:23 PM

OK so i found out that LIMIT reduces to the top "n" number of items like this

 | timechart span=1w limit=5 count by plugin

this gives me the top 5 but puts in the other field with all the ones not in the top 5.

Anyone know how to not show other in the chart???

0 Karma
Reply
Solved! Jump to solution

jtrimmings
Engager
‎05-11-2017 09:45 AM

useother=f

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...