Splunk Search

Search first 10 results by sourcetype

hcheang
Path Finder

Hello I have question regarding limiting the number of events on search to reduce the search time.

Currently, I'm trying to get summary of sourcetype for their eps(events per sec) and log stoppage.

Here is the query I'm using currently.

sourcetype=firewall:web1|head 10|stats sparkline count, first(_time) AS LastTime last(_time) as FirstTime values(index) AS Index values(sourcetype) AS SourceType |eval timediff=now()-LastTime|eval duration=LastTime-FirstTime|eval eps=10/duration|fields Index SourceType FirstTime sparkline LastTime duration eps timediff|convert ctime(FirstTime) ctime(LastTime)

Above query gives me the details of the logging activity and I have tried to reduce search time by applying |head 10
The problem is that I have dozens of sourcetype and would like to get the summary for all the sourcetype I have.
However, as I used sourceytpe=*, I can only get first few sourcetype because I have limited search for the first 10 events, not for 10 events per sourcetype.
Is there a way to limit number of events on search by fields such as index or sourcetype?
I've made dashboard with a table applying above query for each sourcetype (one table per sourcetype) but it's taking forever.
Any suggestion?

0 Karma
1 Solution

hcheang
Path Finder

Actually I found easier way!.

I tried dedup 10 sourcetype and it worked like magic.

Thanks for the answers, too!

View solution in original post

0 Karma

hcheang
Path Finder

Actually I found easier way!.

I tried dedup 10 sourcetype and it worked like magic.

Thanks for the answers, too!

0 Karma

sanjay_shrestha
Contributor

Can you use top instead of head like:

...|top limit=10 by sourcetype|...

gfuente
Motivator

You need to specify a field for the top command, maybe you wanted this:

|top limit=10 _raw by sourcetype

0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...