Solved: top results when using a chart command

rakesh_498115 · ‎06-15-2012

Hi ,

I have query which uses the chart command . Now i need only top ten values to be displayed for that query . used top but didnt get the proper results.

sourcetype="X" | eval a=mvfilter(eventtype LIKE "%_Metrics") |stats count by UniqueID,a |chart sum(count) by UniqueID,a | fillnull value="0"

here a contains the eventtypes

my results are something likethis..

UniqueId A_metrics B_metrics C_metrics
abc 0 56 0
sds 34 5 94
dss 0 53 39
ere 24 45 19
....
...
...

I need to display only the count top 10 UniqueId's..How can i do tat ?? Used top at the bottom but couldnt the same result as above..please help.

Mahieu · ‎06-15-2012

Try adding this :
| addtotals | head 5| fields – Total

View solution in original post

Mahieu · ‎06-15-2012

Try adding this :
| addtotals | head 5| fields – Total

top results when using a chart command

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation