Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to limit the number of bars in a bar graph

brajaram
Communicator
‎12-06-2017 12:13 PM

I have a query that produces a bar graph of the number of hits in a page. I want to limit this to the top 5-10 values, but I can't seem to get either the limit or top function to do what I need. What am I missing here?

index= sourcetype=source= pageURL=< dynamic field input >| stats count as PageHit by uniqueID | stats count as UserCount by PageHit | sort PageHit

Adding limit or top cannot seem to get the same graph as the full query produces, and just removes the small values.

Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎12-06-2017 12:21 PM

Doing | sort PageHit will, by default, sort from lowest values to highest values. If you want the top five, try this:

index= sourcetype=source= pageURL=< dynamic field input >
| stats count as PageHit by uniqueID 
| stats count as UserCount by PageHit 
| sort -PageHit
| head 5

By using | sort -PageHit instead, you will reverse the sorting order, and then |head 5 will limit to the first five items.

View solution in original post

Reply
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎12-06-2017 12:21 PM

Doing | sort PageHit will, by default, sort from lowest values to highest values. If you want the top five, try this:

index= sourcetype=source= pageURL=< dynamic field input >
| stats count as PageHit by uniqueID 
| stats count as UserCount by PageHit 
| sort -PageHit
| head 5

By using | sort -PageHit instead, you will reverse the sorting order, and then |head 5 will limit to the first five items.

Reply
Solved! Jump to solution

brajaram
Communicator
‎12-06-2017 02:01 PM

Thanks! I didn't even know head was a solution, worked fine for me.

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎12-06-2017 01:53 PM

@elliotproebstel - That will work fine, but this is more succinct...

| sort 5 - PageHit
Reply
Solved! Jump to solution

elliotproebstel
Champion
‎12-06-2017 01:57 PM

Ohh, didn't realize that was an option! Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...