I have a splunk search for a list of users performing a particular task. I want to exclude the top 20 noisy results and fetch the other results. How can I do it?
Please help me with this, my sample query is :
source="x" | stats count by a,b | fields + a,b,count | sort count desc.
Now this generates a big list of results out of which I want to filter out the top 20 noisy results. I tried top 20 followed by the rare command or tail with the reverse command but it doesn't fetch the right results.
@phant0mgh0st Try something like below to exclude top 20 noisy results
source="x" | stats count by a,b | fields + a,b,count | sort 0 count desc | streamstats count as id| where id > 20
The reason is because, sort limits to 10K results by default settings.
An easier option is to do the limiting before itself
source="x" | top a by b
Hello,
After sorting your data, you can try that :
| streamstats count as nb
| where nb > 20
This will remove the first 20 rows of your table 🙂
Let me know if it helps you.