Splunk Search

How to do this subsearch?

hjwang
Contributor

Hi~there, i have logs containing "requestURL" and its "Category" per event. it's easy to count top 10 requestURL, and it displays the table containing "requestURL","count","percent" fileds. now if i wanna append one column named Category in each top 10 row. how can i do this search? or must use lookup table? thanks for your kind help 🙂

Tags (1)
0 Karma
1 Solution

Ayn
Legend

Just add "Category" as a parameter to top:

<yourbasesearch> | top 10 requestURL,Category

This gives you the top 10 pairs of requestURL and Category, so if one requestURL would have different values for Category these would be split up, but I'm guessing that is not likely to happen in your logs.

View solution in original post

Ayn
Legend

Just add "Category" as a parameter to top:

<yourbasesearch> | top 10 requestURL,Category

This gives you the top 10 pairs of requestURL and Category, so if one requestURL would have different values for Category these would be split up, but I'm guessing that is not likely to happen in your logs.

hjwang
Contributor

Thanks,Ayn. i thought top command just use only one field to caculate.i didn't expect it can do such thing.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...