how to create a top 5 of results and a bin for the...

wsw70 · ‎09-24-2013

Hi,

Now that I know, thanks to R.Turk, how to sort stacked bar charts I wanted to pick a top 5 of the results. This works fine by adding a | head 5 to the search.

Is there a way to gather all the other events (the ones which did not make it to the top 5) in a separate bar called "others" (or whatever)?

Thanks!

kristian_kolb · ‎09-24-2013

Could this be of use? top has a useother parameter that can be used to bunch the remaining events together into OTHER, like so;

sourcetype=access_combined | top 5 clientip useother=t

/K

wsw70 · ‎09-24-2013

Sorry, I was not clear enough when referring to the previous post on sorting bar charts. The search over there was

<base search> | chart count over N_vendor by N_subnetname | addtotals fieldname=total | sort -total | fields - total

so total is indeed defined.

kristian_kolb · ‎09-24-2013

eeh you need to do top 5 something. Is total a field that exists in some/most/all of your events?

You know that top is not the same as max? top will look at the frequency of values for the specified field, not whether a value is higher than another.

/K

wsw70 · ‎09-24-2013

This does not work, unfortunately. Even a plain top 5 total returns empty results.

how to create a top 5 of results and a bin for the rest of them (sorted stack bars)

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms