Splunk Search

Time Chart Command Question

jason_hotchkiss
Communicator

I am reading:


The following section: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/timechart

limitSyntax: limit=(top | bottom) <int>Description: Specifies a limit for the number of distinct values of the split-by field to return. If set to limit=0, all distinct values are used. Setting limit=N or limit=top N keeps the N highest scoring distinct values of the split-by field. Setting limit=bottom N keeps the lowest scoring distinct values of the split-by field. All other values are grouped into 'OTHER', as long as useother is not set to false. The scoring is determined as follows:

  • If a single aggregation is specified, the score is based on the sum of the values in the aggregation for that split-by value. For example, for timechart avg(foo) BY <field>, the avg(foo) values are added up for each value of <field> to determine the scores.
  • If multiple aggregations are specified, the score is based on the frequency of each value of <field>. For example, for timechart avg(foo) max(bar) BY <field>, the top scoring values for <field> are the most common values of <field>.

Ties in scoring are broken lexicographically, based on the value of the split-by field. For example, 'BAR' takes precedence over 'bar', which takes precedence over 'foo'. See Usage.Default: top 10


When I try and create a timechart using the limit=top 25 the top is red and I receive the following error in Splunk:  Error in 'SearchProcessor': Invalid option value. Expecting a 'non-negative integer' for option 'limit'. Instead got 'top'.

Am I misusing or misinterpreting the documentation?

 

Labels (1)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Make sure the documentation matches the version you use.  The top/bottom settings weren't documented until 8.1.0 so they make not be available until that version (or later).  If the doc version matches your version of Splunk then consider opening a support request and submitting feedback on the docs page.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Make sure the documentation matches the version you use.  The top/bottom settings weren't documented until 8.1.0 so they make not be available until that version (or later).  If the doc version matches your version of Splunk then consider opening a support request and submitting feedback on the docs page.

---
If this reply helps you, Karma would be appreciated.

jason_hotchkiss
Communicator

Ahh. Ok.  I missed that.  We are on 8.0.3 for the time being.  Thanks for the sanity check.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...