Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to write a search to exclude the top 10 or 15 error messages, but return the following top 10?

steeldol
Explorer
‎10-26-2015 05:11 AM

Currently, about 80 to 90 percent of errors logged within a specific index I'm monitoring is made up of the top 10 to 15 errors. These errors are logged daily and are pretty much noise. I have created a search to exclude each of these errors by using the != option, and then using the top limit=10 command to show me the next top 10. But as you can imagine, this isn't very efficient. Is there any other way that I can run a search that would show me the top 10 errors after excluding the current top 10 or 15 errors without having to manually define each error using the != option?

0 Karma
Reply

DalJeanis
Legend
‎08-23-2017 11:52 AM

Try this ....

 your search
 | stats count  as errorcount by myerror
 | sort 25 - errorcount
 | tail 15
 | reverse
0 Karma
Reply

mtranchita
Communicator
‎10-26-2015 06:05 AM

Why not try working with rare instead of top?
The command is intended to find the infrequent results.

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎10-26-2015 06:14 AM

I believe (and testing seems to confirm) that you can combine the two.

... | top 15 myerror | rare 5 myerror

Seems to do the right thing in that it first takes the top 15 myerrors, then displays the "least top" 5 of those (e.g. the rare ones). It does mess up your counts and that, but still, the list appears correct.

0 Karma
Reply

altink
Builder
‎08-22-2017 02:53 PM

didn't work for me

tried
| top 100 my-field-name | rare 99 my-field-name

for actually five records, but got all of them and not the first one (100-99) removed!
Put high number (100) because five records is not the max number, may be even 150

regards
Altin

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎08-23-2017 09:26 AM

I'm sorry, I should have said to use head and tail. You'll need to sort, but here's a run-anywhere..

index=_internal | stats count by component | sort - count | head 50 | tail 5

That should show you the 45th through 50th (or 45th through 49th?) items.

Does that work better?

Reply

altink
Builder
‎08-23-2017 11:11 AM

Yes, it did this way

thanks and regards
Altin

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...