Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to find top 10 hosts after a sort?

I-Man
Communicator
‎02-02-2011 06:22 PM

The following search will give the count of events by host and sort the hosts by count, highest to lowest.

index=summary source="SI Count By Host Every 10m" | stats count by orig_host | sort count

Now I just want to show the top 10 hosts based on their high count. Using the head command will show the first 10 hosts that are found and not the top 10 based on the count that i am trying to display. This seems easy enough but i cannot figure it out...

Feeling very noob right now, help is always appreciated.

Thanks, Iman

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

Genti
Splunk Employee
Splunk Employee
‎02-02-2011 06:41 PM

I think that's what you're looking for can be achieved by. 

index=summary source="SI Count By Host Every 10m" | top limit=10 orig_host

However, if you would like to use your search you could also achieve the same by: 

index=summary source="SI Count By Host Every 10m" | stats count by orig_host | sort limit=10 -count

.gz

View solution in original post

Reply
Solved! Jump to solution

renjujacob88
Path Finder
‎05-15-2017 08:33 PM

index=summary source="SI Count By Host Every 10m" | stats count by orig_host | sort 10 - count

0 Karma
Reply
Solved! Jump to solution

rameshyedurla
Explorer
‎01-21-2016 07:31 AM

try this
index=_internal source=*license_usage.log type="Usage" | stats sum(b) AS volume by h | eval GB=round(volume/1024/1024/1024,5) | table h GB | sort 10 - GB | rename h AS Host

Reply
Solved! Jump to solution

I-Man
Communicator
‎02-02-2011 06:59 PM

index=summary source="SI Count By Host Every 10m" | stats count by orig_host | sort -count | head 10

The above search finally worked for me. There was some kind of bug going on that when I clicked on the top of a column to sort via ascending/descending order, the sort -count OR sort +count would make no difference as the column properties take seemed to take precedence. Not sure why but this only happened when the head function was not present. Weird. Thank you anyways for the quick response Genti.

Reply
Solved! Jump to solution
Solution

Genti
Splunk Employee
Splunk Employee
‎02-02-2011 06:41 PM

I think that's what you're looking for can be achieved by. 

index=summary source="SI Count By Host Every 10m" | top limit=10 orig_host

However, if you would like to use your search you could also achieve the same by: 

index=summary source="SI Count By Host Every 10m" | stats count by orig_host | sort limit=10 -count

.gz

Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...