Splunk Search

How does Splunk decide which rows to display in top if there's a tie?

sk8asd123
Engager

for example here's the full data:
widgets total
item1 10
item2 8
item3 8
item4 8
item5 8
item6 4

and you have a query like
|top widgets limit=2.

There are is a 4 way tie for the second highest total, but Splunk will only show 2 rows. How does Splunk decide which row to show? What is a best practice to show item1,item2,item3, item4, and item5 (and not item6) in the results?

Tags (1)
0 Karma
1 Solution

Richfez
SplunkTrust
SplunkTrust

Someone who knows the code may have to chime in here, but from what I can see, the answer to your first question is "there is no defined and consistent mechanism." I can TOTALLY be wrong, but it seems sometimes it picks the last event seen, sometimes the first. I haven't seen it pick a middle event, but honestly I didn't test much more after I realized it would pick first or last.

The second question's answer, namely, how do I make it show ties? A bit of reformulating of the search is all it takes. Instead of using top, you have to do a bit more work but it's not hard stuff once you understand what it's doing.

OK, in your example, you somehow get a count of widgets. Let's back up to that imaginary point and proceed down a different path than top.

stats count by widget | mvcombine widget | sort - count | head 2

That's your (hopefully) original way of compiling those summary statistics to get "widgets, count" output, followed by a mvcombine to combine the widget rows where it's the only field different, then sort descending on count, then take the head (first 2) rows.

What you get here will be a multi-valued list where there were ties before, like...

item1 10
item2 8
item3 
item4 
item5 

Where, item 2, 3, 4 and 5 are all in one row listed together, with their count being "8".

View solution in original post

Richfez
SplunkTrust
SplunkTrust

Someone who knows the code may have to chime in here, but from what I can see, the answer to your first question is "there is no defined and consistent mechanism." I can TOTALLY be wrong, but it seems sometimes it picks the last event seen, sometimes the first. I haven't seen it pick a middle event, but honestly I didn't test much more after I realized it would pick first or last.

The second question's answer, namely, how do I make it show ties? A bit of reformulating of the search is all it takes. Instead of using top, you have to do a bit more work but it's not hard stuff once you understand what it's doing.

OK, in your example, you somehow get a count of widgets. Let's back up to that imaginary point and proceed down a different path than top.

stats count by widget | mvcombine widget | sort - count | head 2

That's your (hopefully) original way of compiling those summary statistics to get "widgets, count" output, followed by a mvcombine to combine the widget rows where it's the only field different, then sort descending on count, then take the head (first 2) rows.

What you get here will be a multi-valued list where there were ties before, like...

item1 10
item2 8
item3 
item4 
item5 

Where, item 2, 3, 4 and 5 are all in one row listed together, with their count being "8".

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...