Solved: What is the syntax for finding top value of some f...

the_wolverine · ‎06-22-2010

index="whatever" INFECTION | top limit="15" misc by src

When I attempt this search, the limit qualifier seems to be ignored:

It does not limit, even to 100 results.

the_wolverine · ‎06-22-2010

The default limit for top is 10. To override the limit, you'll want to add the limit=N (where N is the new limit) between your field (or field-list) and by-clause:

index="whatever" INFECTION | top misc limit=100 by src

View solution in original post

Tisiphone_1 · ‎06-23-2010

Hi, The_Wolverine...

This does not work for me, regardless of search string or index. Could it possibly be bugged?

When I do:

index="blah" search search2 | top var limit=25 by var2

I get 65 results in my list, not 25. We are running version 4.0.11, build 79031.

Tisiphone_1 · ‎06-24-2010

So my understanding is, limit number of field1, with no limit of combinations with field2.

That would make sense, but I am getting more than the limit number of field1? Is it impossible to decrease the limit below 10?

the_wolverine · ‎06-23-2010

I'm not sure if your understanding of "limit" vs. "results" is correct here. The limit is based on var field. It does not limit the result/event count.

the_wolverine · ‎06-22-2010

The default limit for top is 10. To override the limit, you'll want to add the limit=N (where N is the new limit) between your field (or field-list) and by-clause:

index="whatever" INFECTION | top misc limit=100 by src

What is the syntax for finding top value of some field and increasing the limit?

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk