- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- What does the "percent" column of top limit search...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a pretty basic question but seems like something is amiss with the result I am getting. My search is as follows:
index=xyz sourcetype=JUNIPER LSP_DOWN | top limit=10 ROUTER
search result:
20,000 events
ROUTER count percent
routerx 1887 11.08
routery 1386 8.14
Obviously 1887 is not 11.08% of 20,000 so what exactly does the 11.08 percent represents?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The percent here represent the percent contribution of the particular ROUTER to the total count of events. So if the index=xyz sourcetype=JUNIPER LSP_DOWN returns N events, routerx has 1887 counts out of it and 1887 is 11.08 percent of N.
If you're seeing a discrepancy in count, it may be due to the fact that ROUTER field is not available in all the events. I would suggest to run this and compare the result (ensures to select only the events which has field ROUTER available)
index=xyz sourcetype=JUNIPER ROUTER=* LSP_DOWN | top limit=10 ROUTER
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The percent here represent the percent contribution of the particular ROUTER to the total count of events. So if the index=xyz sourcetype=JUNIPER LSP_DOWN returns N events, routerx has 1887 counts out of it and 1887 is 11.08 percent of N.
If you're seeing a discrepancy in count, it may be due to the fact that ROUTER field is not available in all the events. I would suggest to run this and compare the result (ensures to select only the events which has field ROUTER available)
index=xyz sourcetype=JUNIPER ROUTER=* LSP_DOWN | top limit=10 ROUTER
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Holy cow all this time I've been using top limit incorrectly 😞 Thank you for the info. My mistake being a newbie is relying solely on an example shown in splunk documentation without analyzing the data.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
