- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Combine and use query results contained in 2 other...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My data model is like:
Key Source Destination
1 a b
1 b c
1 a c
1 a e
because the source result table is too large, I need to get top 30 results that have 15 most popular ones in each, for Source, and Destination.
I propose:
1. index=bla model=blala | top limit=15 Source as sourcegroup??
2. index=bla model=blala | top limit=15 Destination as destinationgroup?
3. index=bla model=blala where Source is contained in sourcegroup or Destination is contained in destinationgroup?
I don't know how to implement list item 3, and how to combine the results into 1. I searched and tried with multiplesearch, but it did not work. Or if the algorithm is slow, any efficient suggestions please?
Thank you so much.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@h52huang if you want to run the search only for the top 15 Sources and Destinations try the following search
index=bla model=blala
[ search index=bla model=blala
| top limit=15 Source showperc=f showcount=f]
[ search index=bla model=blala
| top limit=15 Destination showperc=f showcount=f]
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@h52huang if you want to run the search only for the top 15 Sources and Destinations try the following search
index=bla model=blala
[ search index=bla model=blala
| top limit=15 Source showperc=f showcount=f]
[ search index=bla model=blala
| top limit=15 Destination showperc=f showcount=f]
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@niketnilay
Could you share more knowledge on this please? I have been doing a few experiments locally and I am getting confused about the pipeline filtering in subsearches.
index=bla field1=aaa field2=bbb (Source=A OR Destination=A) is returning 75 events (not 15 events).
[index=bla field1=aaa field2=bbb Source=A | top limit=15 DestinationNode showperc=f showcount=f ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@niketnilay
I seem figured out. 🙂
|union
[subsearch 1]
[subsearch 2]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=bla field1=aaa field2=bbb (Source=A OR Destination=A)
[index=bla field1=aaa field2=bbb Source=A | top limit=15 Destination showperc=f showcount=f ]
[index=bla field1=aaa field2=bbb Destinatioe=A | top limit=15 Destination showperc=f showcount=f ]
Does this append the results? My desired it a total of 30 with 15 of Source=A and 15 of Destination=A.
Thank you very much. @niketnilay
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
