how to create a top 5 of results and a bin for the...

wsw70 · ‎09-24-2013

Hi,

Now that I know, thanks to R.Turk, how to sort stacked bar charts I wanted to pick a top 5 of the results. This works fine by adding a | head 5 to the search.

Is there a way to gather all the other events (the ones which did not make it to the top 5) in a separate bar called "others" (or whatever)?

Thanks!

kristian_kolb · ‎09-24-2013

Could this be of use? top has a useother parameter that can be used to bunch the remaining events together into OTHER, like so;

sourcetype=access_combined | top 5 clientip useother=t

/K

wsw70 · ‎09-24-2013

Sorry, I was not clear enough when referring to the previous post on sorting bar charts. The search over there was

<base search> | chart count over N_vendor by N_subnetname | addtotals fieldname=total | sort -total | fields - total

so total is indeed defined.

kristian_kolb · ‎09-24-2013

eeh you need to do top 5 something. Is total a field that exists in some/most/all of your events?

You know that top is not the same as max? top will look at the frequency of values for the specified field, not whether a value is higher than another.

/K

wsw70 · ‎09-24-2013

This does not work, unfortunately. Even a plain top 5 total returns empty results.

how to create a top 5 of results and a bin for the rest of them (sorted stack bars)

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!