Splunk Search

Why is the top command not separating out top values for each numerical data field?

lagoon7mac
New Member

I have numerical data into 5 different fields that occurs daily and indexed into splunk. I am trying to see what the top values per field and chart that before I perform other stats commands. So if i perform sourcetype=numdata NOT "TEXTDATA" | top limit=10 field1", I get the top values of the field. When I add "top field1, field2, field3" then I get all of the top values for the fields combined. I would like to get the top values per field? Does anyone know how to SPL this?

Tags (4)
0 Karma
1 Solution

sdaniels
Splunk Employee
Splunk Employee

You might be able to use the append command depending on the type of data and if the values make sense to be charted together.

sourcetype=numdata NOT "TEXTDATA" | top 10 field1 | append [ sourcetype=numdata NOT "TEXTDATA" | top 10 field2 ]  etc.....

View solution in original post

0 Karma

lagoon7mac
New Member

That works with the addition of the search command at the begining of the search bracket so [ sourcetype=numdata... ] becomes [ search sourcetype=numdata ....]

0 Karma

sdaniels
Splunk Employee
Splunk Employee

You might be able to use the append command depending on the type of data and if the values make sense to be charted together.

sourcetype=numdata NOT "TEXTDATA" | top 10 field1 | append [ sourcetype=numdata NOT "TEXTDATA" | top 10 field2 ]  etc.....
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...