Thanks for your response, Ron. I used index time because a response to my original question at:
http://splunk-base.splunk.com/answers/24165/how-to-report-top-ten-errors-over-a-time-range
suggested it was the only way to accomplish my goal. What I want to do is search through a log4j formatted file, gather all ERRORs, sort them by type (based on error text), count the instances of each error type, and return one example each of the 10 errors that repeat the most (top ten). Both index-time and search-time suggestions are returning log entries other than ERRORs, which isn't what I'm after.
... View more