for example here's the full data:
widgets total
item1 10
item2 8
item3 8
item4 8
item5 8
item6 4
and you have a query like
|top widgets limit=2.
There are is a 4 way tie for the second highest total, but Splunk will only show 2 rows. How does Splunk decide which row to show? What is a best practice to show item1,item2,item3, item4, and item5 (and not item6) in the results?
Someone who knows the code may have to chime in here, but from what I can see, the answer to your first question is "there is no defined and consistent mechanism." I can TOTALLY be wrong, but it seems sometimes it picks the last event seen, sometimes the first. I haven't seen it pick a middle event, but honestly I didn't test much more after I realized it would pick first or last.
The second question's answer, namely, how do I make it show ties? A bit of reformulating of the search is all it takes. Instead of using top, you have to do a bit more work but it's not hard stuff once you understand what it's doing.
OK, in your example, you somehow get a count of widgets. Let's back up to that imaginary point and proceed down a different path than top.
stats count by widget | mvcombine widget | sort - count | head 2
That's your (hopefully) original way of compiling those summary statistics to get "widgets, count" output, followed by a mvcombine to combine the widget rows where it's the only field different, then sort descending on count, then take the head (first 2) rows.
What you get here will be a multi-valued list where there were ties before, like...
item1 10
item2 8
item3
item4
item5
Where, item 2, 3, 4 and 5 are all in one row listed together, with their count being "8".
Someone who knows the code may have to chime in here, but from what I can see, the answer to your first question is "there is no defined and consistent mechanism." I can TOTALLY be wrong, but it seems sometimes it picks the last event seen, sometimes the first. I haven't seen it pick a middle event, but honestly I didn't test much more after I realized it would pick first or last.
The second question's answer, namely, how do I make it show ties? A bit of reformulating of the search is all it takes. Instead of using top, you have to do a bit more work but it's not hard stuff once you understand what it's doing.
OK, in your example, you somehow get a count of widgets. Let's back up to that imaginary point and proceed down a different path than top.
stats count by widget | mvcombine widget | sort - count | head 2
That's your (hopefully) original way of compiling those summary statistics to get "widgets, count" output, followed by a mvcombine to combine the widget rows where it's the only field different, then sort descending on count, then take the head (first 2) rows.
What you get here will be a multi-valued list where there were ties before, like...
item1 10
item2 8
item3
item4
item5
Where, item 2, 3, 4 and 5 are all in one row listed together, with their count being "8".