Splunk Search

What is the syntax for finding top value of some field and increasing the limit?

the_wolverine
Champion

index="whatever" INFECTION | top limit="15" misc by src

When I attempt this search, the limit qualifier seems to be ignored:

It does not limit, even to 100 results.

Tags (2)
0 Karma
1 Solution

the_wolverine
Champion

The default limit for top is 10. To override the limit, you'll want to add the limit=N (where N is the new limit) between your field (or field-list) and by-clause:

index="whatever" INFECTION | top misc limit=100 by src

View solution in original post

0 Karma

Tisiphone_1
Explorer

Hi, The_Wolverine...

This does not work for me, regardless of search string or index. Could it possibly be bugged?

When I do:

index="blah" search search2 | top var limit=25 by var2

I get 65 results in my list, not 25. We are running version 4.0.11, build 79031.

0 Karma

Tisiphone_1
Explorer

So my understanding is, limit number of field1, with no limit of combinations with field2.

That would make sense, but I am getting more than the limit number of field1? Is it impossible to decrease the limit below 10?

0 Karma

the_wolverine
Champion

I'm not sure if your understanding of "limit" vs. "results" is correct here. The limit is based on var field. It does not limit the result/event count.

0 Karma

the_wolverine
Champion

The default limit for top is 10. To override the limit, you'll want to add the limit=N (where N is the new limit) between your field (or field-list) and by-clause:

index="whatever" INFECTION | top misc limit=100 by src
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...