Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

When you feed multiple field names to the top command, what results are returned exactly?

jli001
Explorer
‎06-12-2015 12:56 PM

According to Splunk documentation for the top command, it is acceptable to have multiple fields (separated by commas) as arguments. For example:

search something | top host_ip, username

But my brain is having a hard time understanding what that actually does. To me, "top" implies that you are trying to sort the search results by the frequency of each unique value in one field and displays on the top X most frequently occurring values of that field. When you feed multiple field names to the top command, what results are returned exactly?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

stephanefotso
Motivator
‎06-12-2015 02:41 PM

Hello/
The top command Finds the most frequent tuple of values of all fields in the field list, along with a count and percentage. Means search something | top host_ip, username, will find the most frenquent values of the field host_ip , and the most frequent values of the field username

If the optional by-clause is provided, top will find the most frequent values for each distinct tuple of values of the group-by fields. http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/Top

Thanks

SGF

View solution in original post

Reply
Solved! Jump to solution
Solution

stephanefotso
Motivator
‎06-12-2015 02:41 PM

Hello/
The top command Finds the most frequent tuple of values of all fields in the field list, along with a count and percentage. Means search something | top host_ip, username, will find the most frenquent values of the field host_ip , and the most frequent values of the field username

If the optional by-clause is provided, top will find the most frequent values for each distinct tuple of values of the group-by fields. http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/Top

Thanks

SGF
Reply
Solved! Jump to solution

jli001
Explorer
‎06-18-2015 10:30 AM

That's exactly it! To test this answer I have created a lookup file and ran top against different combinations of fields. The top command behaved as stephanefotso described.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...