Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How does Splunk decide which rows to display in top if there's a tie?

sk8asd123
Engager
‎09-19-2015 02:29 PM

for example here's the full data:
widgets total
item1 10
item2 8
item3 8
item4 8
item5 8
item6 4

and you have a query like
|top widgets limit=2.

There are is a 4 way tie for the second highest total, but Splunk will only show 2 rows. How does Splunk decide which row to show? What is a best practice to show item1,item2,item3, item4, and item5 (and not item6) in the results?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎09-20-2015 07:16 PM

Someone who knows the code may have to chime in here, but from what I can see, the answer to your first question is "there is no defined and consistent mechanism." I can TOTALLY be wrong, but it seems sometimes it picks the last event seen, sometimes the first. I haven't seen it pick a middle event, but honestly I didn't test much more after I realized it would pick first or last.

The second question's answer, namely, how do I make it show ties? A bit of reformulating of the search is all it takes. Instead of using top, you have to do a bit more work but it's not hard stuff once you understand what it's doing.

OK, in your example, you somehow get a count of widgets. Let's back up to that imaginary point and proceed down a different path than top.

stats count by widget | mvcombine widget | sort - count | head 2

That's your (hopefully) original way of compiling those summary statistics to get "widgets, count" output, followed by a mvcombine to combine the widget rows where it's the only field different, then sort descending on count, then take the head (first 2) rows.

What you get here will be a multi-valued list where there were ties before, like...

item1 10
item2 8
item3 
item4 
item5

Where, item 2, 3, 4 and 5 are all in one row listed together, with their count being "8".

View solution in original post

Reply
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎09-20-2015 07:16 PM

Someone who knows the code may have to chime in here, but from what I can see, the answer to your first question is "there is no defined and consistent mechanism." I can TOTALLY be wrong, but it seems sometimes it picks the last event seen, sometimes the first. I haven't seen it pick a middle event, but honestly I didn't test much more after I realized it would pick first or last.

The second question's answer, namely, how do I make it show ties? A bit of reformulating of the search is all it takes. Instead of using top, you have to do a bit more work but it's not hard stuff once you understand what it's doing.

OK, in your example, you somehow get a count of widgets. Let's back up to that imaginary point and proceed down a different path than top.

stats count by widget | mvcombine widget | sort - count | head 2

That's your (hopefully) original way of compiling those summary statistics to get "widgets, count" output, followed by a mvcombine to combine the widget rows where it's the only field different, then sort descending on count, then take the head (first 2) rows.

What you get here will be a multi-valued list where there were ties before, like...

item1 10
item2 8
item3 
item4 
item5

Where, item 2, 3, 4 and 5 are all in one row listed together, with their count being "8".

Reply
Get Updates on the Splunk Community!

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...