I am trying to limit the number of results shown when I use the values command. Here is my search:
index="mydata" earliest="-48h" latest=now
| stats count by Incident_ID Channel Source Destination File_Name Policies
| stats sum(count) as "Number of Events" values(Channel) as "Method" values(Policies) as "Violated Policies" values(Destination) as Destination values(File_Name) as "File Name" by Source
| convert timeformat="%H:%M:%S %d.%m.%Y." ctime(Time)
| sort - "Number of Events"
The search works fine, but what i am having an issues with is when i get hundreds of results within a field. Is there a way to limit the number of results to a field, say 10-15 results to a field?
... View more