Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to limit my search to return only the top 10 events displaying count and percentage?

jalalallam
New Member
‎09-22-2014 10:27 AM

Hello,

I would like to create a search that select the top 10 events

Like this:

event count percent

[Mon Sep 22 17:14:36 2014] [error] [client XXX] File does not exist: /var/www/html/home-store 1000 30
[Mon Sep 22 15:53:37 2014] [error] [client XXX] Bean "Hits_Bean_List.__isset" does not support attrib 500 20

Any suggestions? Any idea is welcome.

Thanks

Tags (3)
0 Karma
Reply

ndoshi
Splunk Employee
Splunk Employee
‎09-22-2014 10:36 AM

First, if timestamp does not matter, you may want to extract a fields, say called raw, that has only the event. I'm assuming the pattern above are for all your events. Example props.conf

[Insert Name of your sourcetype]
EXTRACT-raw=^\[.*?\](?P<raw>.*)

Then, simply run the search:

sourcetype="Insert name of your sourcetype"|top raw limit=10

I'm not sure if this answers your question I don't know if all your events follow the pattern above. Nevertheless, the top command can get you there.

0 Karma
Reply

ndoshi
Splunk Employee
Splunk Employee
‎09-23-2014 02:03 PM

Sorry, I had two typos in there. Change that in props.conf to what is now listed in the answer.

You can use http://regex101.com/ to test a regex (remove the ?P in the test regex). BTW, you should put your props.conf in $SPLUNK_HOME/etc/apps/search/local/props.conf

Your search would be: sourcetype=splunk_web_service|top raw limit=10

This assumes that your source "/var/log/httpd/*-error_log" is indeed tied to this sourcetype.

0 Karma
Reply

jalalallam
New Member
‎09-23-2014 10:22 AM

Thank you for reply,

I tried to update the config file:
splubk/etc/apps/search/default/props.conf
[splunk_web_service]
EXTRACT-raw=^[.?](?.8)

And tried to search through the browser
source="/var/log/httpd/*-error_log" | top raw limit=10

but no luck:
No results found.

I want to find the top 10 raw repeated in any log file such as Apache error log.

Can you help me?

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...