Top of field with multiple values

adri9valle · ‎03-08-2019

Hi,

I'm trying to do a simple search that returns the top repeated values of a field.

The problem is that this field has multiple values, then when a try to exec the search, it returns 0 results.

With another field with a single value, this problem doesn't happen.

For example, let's suppose that we have this two fields; level and groups the field level contents a unique value for example 7, but the groups field can content multiples values [foo,bar,cir...]

If execute ** query *| top level limit 5 * will return the top 5 levels but if execute ** query | top groups limit 5 ** does not return anything.

How can get the top of a field with multiple values?

Thanks

adri9valle · ‎03-11-2019

Hi @nickhillscpl and @harishalipaka,

Thanks for your help, but the solution was the below:

Instead of execute:

mysearch | top rules

The execution must be:

mysearch | top rules{}

Looks seem that {} is used for fields with several values.

nickhills · ‎03-08-2019

I think you mean that the 'group' field can contain comma separated lists of values?

If I have understood that bit correctly, try:

[your search]|makemv delim="," groups|top groups limit 5

If my comment helps, please give it a thumbs up!

Top of field with multiple values

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk