×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
ebenioff
New Member
Member since: ‎07-25-2011
‎06-05-2020
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎07-25-2011
View All

Re: Viewing beyond the top 10 results within an ex...

by in Splunk Search
‎07-26-2011 10:02 AM
‎07-26-2011 10:02 AM
I got this to work for some sample queries, but can't get it to work for the actual query I need to run. What I've tried is: index!="x" instance!="cs" logName="/mobile/direct/" logRecordTypeU=1 NOT logName="/mobile/direct/2.0.adobeair/" |fields logName, _time, organizationId, userId | rex field=logName "/mobile/direct/2..0.(? [^/] )/.*" | where not isnull(device) | timechart span=2w dc(userId) as uniqueUsers by device | sort count | head 10 | stats count by userId I'm pretty sure this is just a syntax error, but I don't know what exactly the error is. ... View more

Viewing beyond the top 10 results within an extrac...

by in Splunk Search
‎07-25-2011 01:58 PM
‎07-25-2011 01:58 PM
I'm currently running searches to track the behavior of users on a particular mobile application. The first step in this is identifying which users to track, for which I run a query over a couple of weeks that returns an immense volume of logs and extract a userID field. When I select the userID field, Splunk shows me the top ten most prevalent userIDs, i.e. my most active users. This system has worked fine when I needed the highest activity users, but now I need low activity users as well and I'm wondering if there is any way to view the top 100 or all the userID's that are organized into the userID field. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM