I have a splunk instance with many serviceName's in the logs. Is there a query where I can extract the top 15 of each serviceName? My service names include data such as snmp, syslog, etc. I want the top 15 of each type
Thanks.
I am not sure that I understand the results that you want. If you want to see the 15 most common serviceNames, try this
<your search> | top limit=15 serviceName
This will show the most common 15 serviceNames, along with the number of events for each serviceName. The results are displayed in a table. If you click on a row of the table, you will see the underlying events for the corresponding serviceName.
I am not sure that I understand the results that you want. If you want to see the 15 most common serviceNames, try this
<your search> | top limit=15 serviceName
This will show the most common 15 serviceNames, along with the number of events for each serviceName. The results are displayed in a table. If you click on a row of the table, you will see the underlying events for the corresponding serviceName.
Splunk's dedup command is right for the job:
<your search> | dedup 15 serviceName