Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to create a top 5 of results and a bin for the rest of them (sorted stack bars)

wsw70
Communicator
‎09-24-2013 05:52 AM

Hi,

Now that I know, thanks to R.Turk, how to sort stacked bar charts I wanted to pick a top 5 of the results. This works fine by adding a | head 5 to the search.

Is there a way to gather all the other events (the ones which did not make it to the top 5) in a separate bar called "others" (or whatever)?

Thanks!

Tags (3)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎09-24-2013 06:58 AM

Could this be of use? top has a useother parameter that can be used to bunch the remaining events together into OTHER, like so;

sourcetype=access_combined | top 5 clientip useother=t

/K

0 Karma
Reply

wsw70
Communicator
‎09-24-2013 10:47 PM

Sorry, I was not clear enough when referring to the previous post on sorting bar charts. The search over there was

<base search>
| chart count over N_vendor by N_subnetname
| addtotals fieldname=total
| sort -total
| fields - total

so total is indeed defined.

0 Karma
Reply

kristian_kolb
Ultra Champion
‎09-24-2013 01:01 PM

eeh you need to do top 5 something. Is total a field that exists in some/most/all of your events?

You know that top is not the same as max? top will look at the frequency of values for the specified field, not whether a value is higher than another.

/K

0 Karma
Reply

wsw70
Communicator
‎09-24-2013 07:07 AM

This does not work, unfortunately. Even a plain top 5 total returns empty results.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...