- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- top piped to top yields no results for table
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
top piped to top yields no results for table
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In addition to kristian's answer, if what you want is retrieving the top 5 error codes and then checking which 10 values of src contributed the most to these, you'll likely want to use a subsearch (http://docs.splunk.com/Documentation/Splunk/latest/User/HowSubsearchesWork )
index=cisco_firewall [search index=cisco_firewall | top error_code limit=5 | fields error_code] | top src limit=10
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh...sorry k 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry no, that's not how it works
index=cisco_firewall
will give you...say 1 million events back.
index=cisco_firewall | top error_code limit=5
will give you five events back, each containing aggregate statistics on error_code, but no information on src. Thats why this will never work.
index=cisco_firewall | top error_code limit=5 | top src limit=10
If you try;
index=cisco_firewall | top error_code limit=5 | top error_code limit=3
you will get results back, but perhaps not those you were expecting, since there are five unique events in terms of the value you're doing the final top on. The actual top count does not come into the equation. My guess is that you'll get the first three in numerical/alphabetical order.
/Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, not when you pipe it further along. At least not in my experience. /k
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
then i dont quite understand the results, because when i click over to the events view it shows all of the returned events from the search, so doesnt the additioanl pipe act upon those results?
actually, index=cisco_firewall | top error_code limit=5 gives me all of the events that have count(error_code) in top 5 of all error code counts. it tables 5 lines, but the raw event list is huge.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
