Solved: What is the syntax for finding top value of some f...

the_wolverine · ‎06-22-2010

index="whatever" INFECTION | top limit="15" misc by src

When I attempt this search, the limit qualifier seems to be ignored:

It does not limit, even to 100 results.

the_wolverine · ‎06-22-2010

The default limit for top is 10. To override the limit, you'll want to add the limit=N (where N is the new limit) between your field (or field-list) and by-clause:

index="whatever" INFECTION | top misc limit=100 by src

View solution in original post

Tisiphone_1 · ‎06-23-2010

Hi, The_Wolverine...

This does not work for me, regardless of search string or index. Could it possibly be bugged?

When I do:

index="blah" search search2 | top var limit=25 by var2

I get 65 results in my list, not 25. We are running version 4.0.11, build 79031.

Tisiphone_1 · ‎06-24-2010

So my understanding is, limit number of field1, with no limit of combinations with field2.

That would make sense, but I am getting more than the limit number of field1? Is it impossible to decrease the limit below 10?

the_wolverine · ‎06-23-2010

I'm not sure if your understanding of "limit" vs. "results" is correct here. The limit is based on var field. It does not limit the result/event count.

the_wolverine · ‎06-22-2010

The default limit for top is 10. To override the limit, you'll want to add the limit=N (where N is the new limit) between your field (or field-list) and by-clause:

index="whatever" INFECTION | top misc limit=100 by src

What is the syntax for finding top value of some field and increasing the limit?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk