In addition to kristian's answer, if what you want is retrieving the top 5 error codes and then checking which 10 values of src contributed the most to these, you'll likely want to use a subsearch (http://docs.splunk.com/Documentation/Splunk/latest/User/HowSubsearchesWork )
index=cisco_firewall [search index=cisco_firewall | top error_code limit=5 | fields error_code] | top src limit=10
Oh...sorry k 😉
Sorry no, that's not how it works
index=cisco_firewall
will give you...say 1 million events back.
index=cisco_firewall | top error_code limit=5
will give you five events back, each containing aggregate statistics on error_code
, but no information on src
. Thats why this will never work.
index=cisco_firewall | top error_code limit=5 | top src limit=10
If you try;
index=cisco_firewall | top error_code limit=5 | top error_code limit=3
you will get results back, but perhaps not those you were expecting, since there are five unique events in terms of the value you're doing the final top
on. The actual top
count does not come into the equation. My guess is that you'll get the first three in numerical/alphabetical order.
/Kristian
No, not when you pipe it further along. At least not in my experience. /k
then i dont quite understand the results, because when i click over to the events view it shows all of the returned events from the search, so doesnt the additioanl pipe act upon those results?
actually, index=cisco_firewall | top error_code limit=5 gives me all of the events that have count(error_code) in top 5 of all error code counts. it tables 5 lines, but the raw event list is huge.