Splunk Search

How to limit my search to return only the top 10 results based on the following search queries ?

ranjyotiprakash
Communicator

I am using these search queries and I want to restrict the search to return only the top ten results.

How to do it ?

The search queries I am using are :

sourcetype="access" |eval bandwidth=round(bytes_sent/1024,2)| stats sum(bandwidth) BY client_ip

sourcetype="access" | eval bandwidth=round(bytes_sent/1024,2)|stats sum(bandwidth) BY URL

Thanks...

Tags (2)
1 Solution

lpolo
Motivator

Try this:

your_query | sort - sum(bandwidth) | head 10

you may want to name your field "bandwidth" as follow:

sourcetype="access" | stats sum(bytes_sent) as bandwidth BY client_ip | eval bandwidth=round(bandwidth/1024,2)  | sort - bandwidth | head 10

sourcetype="access" | stats sum(bytes_sent) as bandwidth BY URL | sort - bandwidth | eval bandwidth=round(bandwidth/1024,2) | head 10

Lp

View solution in original post

Konrad_Schlude
Observer

The usage of sort is fine if the number of items is not too large. To sort a large number of items is time consuming, and there is a limit in Splunk. Because of the limit, the attempt to sort the items and then to select the first 10 items might end in a wrong result.

In order to avoid this, I filter all items above/below a limit that is specific to the problem. For instance, 50 000 records are processed, more than 49 000 records are processed within 2 seconds, but there are a few records for which the processing takes more time. So I set the limit to 2 seconds.
However, if there are just a few records, e.g., 10, then it might be the case that the list of Top 10 results is empty because all of them are below the limit of 2 seconds.

0 Karma

Lamar
Splunk Employee
Splunk Employee

You may want to use top for this.

http://docs.splunk.com/Documentation/Splunk/4.3.2/SearchReference/Top

sourcetype="access" |eval bandwidth=round(bytes_sent/1024,2)| stats sum(bandwidth) as total_bandwidth | top limit=10 total_bandwidth by client_ip

sourcetype="access" | eval bandwidth=round(bytes_sent/1024,2)|stats sum(bandwidth) as total_bandwidth | top limit=10 total_bandwidth by URL

Hope that helps.

0 Karma

ziegfried
Influencer

The question kind-of indicates the 10 greatest values.

sdaniels
Splunk Employee
Splunk Employee

If you just want the greatest values and not the top 10 just sort it in descending order.

ziegfried
Influencer

This is actually incorrect. The top command will deliver the most common values, not the greatest ones.

lpolo
Motivator

Try this:

your_query | sort - sum(bandwidth) | head 10

you may want to name your field "bandwidth" as follow:

sourcetype="access" | stats sum(bytes_sent) as bandwidth BY client_ip | eval bandwidth=round(bandwidth/1024,2)  | sort - bandwidth | head 10

sourcetype="access" | stats sum(bytes_sent) as bandwidth BY URL | sort - bandwidth | eval bandwidth=round(bandwidth/1024,2) | head 10

Lp

ranjyotiprakash
Communicator

Thanks a lot for your replies.. "head" works ...

0 Karma

ziegfried
Influencer

I've slightly changed the search to do the "round" after the aggregation. This is better because it reduces the rounding error.

0 Karma

ziegfried
Influencer

But that's probably the most reasonable result for the question.

0 Karma

sdaniels
Splunk Employee
Splunk Employee

The head command will give you the first 10 results whereas the top command will give you the most common values of a particular field.

0 Karma

SanthoshSreshta
Contributor

Why they have used sort - bandwidth there ..can u please explain me

0 Karma

MuS
SplunkTrust
SplunkTrust

from the docs about sort http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/Sort :

Description: List of fields to sort by and their order, descending ( - ) or ascending ( + ).
0 Karma

SanthoshSreshta
Contributor

yah.!!
Got it. Thank you. 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...