Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

top command with values

jangid
Builder
‎11-28-2012 03:19 AM

I want top 10 values for a field based on the timer control.

mysearch | top 10 E_Time

above command return top 10 results based on the events count. is there anyway to return top 10 values and display a graph based on these values?

alternatively I can run this search and display the graph

mysearch | table _time E_TIME | sort -E_TIME | head 10 | where len(E_TIME) > 0

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎11-28-2012 03:45 AM

Use head:

... | head 10

EDIT: head will not necessarily return the latest results. The head command will retrieve the first X items from what it's given in the search pipeline. If it's run directly after the initial search command, then you are right, what comes in the search pipeline will be the latest events. If you run it after table though, for instance, it will get the table items and give you the first X of those. So, if you have a table with data that is sorted in the way you want, running head 10 will give you the first 10 items according to that sort order. I believe that's what you wanted.

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎11-28-2012 03:45 AM

Use head:

... | head 10

EDIT: head will not necessarily return the latest results. The head command will retrieve the first X items from what it's given in the search pipeline. If it's run directly after the initial search command, then you are right, what comes in the search pipeline will be the latest events. If you run it after table though, for instance, it will get the table items and give you the first X of those. So, if you have a table with data that is sorted in the way you want, running head 10 will give you the first 10 items according to that sort order. I believe that's what you wanted.

Reply
Solved! Jump to solution

Ayn
Legend
‎11-29-2012 04:11 AM

Nope, top works with item counts exclusively, so you cannot use it to work with values.

0 Karma
Reply
Solved! Jump to solution

jangid
Builder
‎11-29-2012 02:50 AM

Thanks Ayn, yep you are right I used | head x to get the result. I solved my problem with table | sort | head
buy my question, is it possible to get top 10 E_Time values [not events] using top command?

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎11-28-2012 07:54 AM

No. Updated my answer, please read.

0 Karma
Reply
Solved! Jump to solution

jangid
Builder
‎11-28-2012 07:19 AM

this will return latest result. I want top 10 values from a particular field.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...