Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

top command with values

jangid
Builder
‎11-28-2012 03:19 AM

I want top 10 values for a field based on the timer control.

mysearch | top 10 E_Time

above command return top 10 results based on the events count. is there anyway to return top 10 values and display a graph based on these values?

alternatively I can run this search and display the graph

mysearch | table _time E_TIME | sort -E_TIME | head 10 | where len(E_TIME) > 0

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎11-28-2012 03:45 AM

Use head:

... | head 10

EDIT: head will not necessarily return the latest results. The head command will retrieve the first X items from what it's given in the search pipeline. If it's run directly after the initial search command, then you are right, what comes in the search pipeline will be the latest events. If you run it after table though, for instance, it will get the table items and give you the first X of those. So, if you have a table with data that is sorted in the way you want, running head 10 will give you the first 10 items according to that sort order. I believe that's what you wanted.

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎11-28-2012 03:45 AM

Use head:

... | head 10

EDIT: head will not necessarily return the latest results. The head command will retrieve the first X items from what it's given in the search pipeline. If it's run directly after the initial search command, then you are right, what comes in the search pipeline will be the latest events. If you run it after table though, for instance, it will get the table items and give you the first X of those. So, if you have a table with data that is sorted in the way you want, running head 10 will give you the first 10 items according to that sort order. I believe that's what you wanted.

Reply
Solved! Jump to solution

Ayn
Legend
‎11-29-2012 04:11 AM

Nope, top works with item counts exclusively, so you cannot use it to work with values.

0 Karma
Reply
Solved! Jump to solution

jangid
Builder
‎11-29-2012 02:50 AM

Thanks Ayn, yep you are right I used | head x to get the result. I solved my problem with table | sort | head
buy my question, is it possible to get top 10 E_Time values [not events] using top command?

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎11-28-2012 07:54 AM

No. Updated my answer, please read.

0 Karma
Reply
Solved! Jump to solution

jangid
Builder
‎11-28-2012 07:19 AM

this will return latest result. I want top 10 values from a particular field.

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
li.common.scroll-to.top