hello splunker !
in splunk, i want to print top email sender by the number of attachment, my command is:
index=emaileventtype="email-events" action=delivered | top 10 sender by AttachCount
but it produces more fields and they aren't sorted, like this:
and as you can see that it produced more than 10 values
i've also tried:
index=emaileventtype="email-events" action=delivered | top 10 sender by AttachCount
| stats sum(AttachCount) as AttachCount by sender
| top 10 AttachCount
and here's the result:
please help me, i need two fields only, top sender by AttachCount
Thanks
Your by clause on the top command is grouping then getting the top within each group, which doesn't sound like what you are after. Try something like this
index=emaileventtype="email-events" action=delivered
| stats sum(AttachCount) as AttachCount by sender
| sort 10 -AttachCount
Your by clause on the top command is grouping then getting the top within each group, which doesn't sound like what you are after. Try something like this
index=emaileventtype="email-events" action=delivered
| stats sum(AttachCount) as AttachCount by sender
| sort 10 -AttachCount