Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to limit my search to return only the top 10 events displaying count and percentage?

jalalallam
New Member
‎09-22-2014 10:27 AM

Hello,

I would like to create a search that select the top 10 events

Like this:

event count percent

[Mon Sep 22 17:14:36 2014] [error] [client XXX] File does not exist: /var/www/html/home-store 1000 30
[Mon Sep 22 15:53:37 2014] [error] [client XXX] Bean "Hits_Bean_List.__isset" does not support attrib 500 20

Any suggestions? Any idea is welcome.

Thanks

Tags (3)
0 Karma
Reply

ndoshi
Splunk Employee
Splunk Employee
‎09-22-2014 10:36 AM

First, if timestamp does not matter, you may want to extract a fields, say called raw, that has only the event. I'm assuming the pattern above are for all your events. Example props.conf

[Insert Name of your sourcetype]
EXTRACT-raw=^\[.*?\](?P<raw>.*)

Then, simply run the search:

sourcetype="Insert name of your sourcetype"|top raw limit=10

I'm not sure if this answers your question I don't know if all your events follow the pattern above. Nevertheless, the top command can get you there.

0 Karma
Reply

ndoshi
Splunk Employee
Splunk Employee
‎09-23-2014 02:03 PM

Sorry, I had two typos in there. Change that in props.conf to what is now listed in the answer.

You can use http://regex101.com/ to test a regex (remove the ?P in the test regex). BTW, you should put your props.conf in $SPLUNK_HOME/etc/apps/search/local/props.conf

Your search would be: sourcetype=splunk_web_service|top raw limit=10

This assumes that your source "/var/log/httpd/*-error_log" is indeed tied to this sourcetype.

0 Karma
Reply

jalalallam
New Member
‎09-23-2014 10:22 AM

Thank you for reply,

I tried to update the config file:
splubk/etc/apps/search/default/props.conf
[splunk_web_service]
EXTRACT-raw=^[.?](?.8)

And tried to search through the browser
source="/var/log/httpd/*-error_log" | top raw limit=10

but no luck:
No results found.

I want to find the top 10 raw repeated in any log file such as Apache error log.

Can you help me?

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...