Splunk Search

How to control the number of top results shown from a search in Splunk 6.1.2?

HattrickNZ
Motivator

I am trying to control how many of the top results are shown.

I have the following search

stats max(c1693801001) as MaxCPU by measObjLdn | sort - MaxCPU

which gives me the following in the stats view:

measObjLdn  MaxCPU
Object1 13
Object2 11
Object3 8
Object4 7
Object5 4
Object6 4
Object7 3
Object8 3

How do i just show the top 3 that would look like

measObjLdn  MaxCPU
Object1 13
Object2 11
Object3 8

I have tried top but no joy, it just keeps showing them all
....| top limit=5 showcount=f showperc=f MaxCPU by measObjLdn | sort - MaxCPU

Tags (3)
0 Karma
1 Solution

musskopf
Builder

Just change to:

stats max(c1693801001) as MaxCPU by measObjLdn | sort 3 - MaxCPU

View solution in original post

ramdaspr
Contributor

That is because you have a by clause so it is showing you the top 5 MaxCPU for each measObjLdn. You should be using head 3 after sorting to find out the top 3 values regardless of the combination.

musskopf
Builder

Just change to:

stats max(c1693801001) as MaxCPU by measObjLdn | sort 3 - MaxCPU

ramdaspr
Contributor

++ simpler solution.

When i read the docs, it says "Specify the number of results to sort. " so I assumed only the first 3 events would be used but it should says "Specify the number of sorted results to return" instead.

0 Karma

HattrickNZ
Motivator

tks all, the one below by ramdaspr works also.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...