Splunk Search

I have a seach command but i need to remove the percent column

pboon
New Member

I have a command that gives me the correct info what i want which is
(eventtype="wineventlog_system") source="inEventLog:" (host="" OR ComputerName="") TaskCategory="" SourceName="" EventCode="*" (Type="Error" OR Type="Warning") * | sort -count | top limit=5 host
this displays a percent column which i want to remove and I have tried to use | top host showperc=f but it doesnt work I have tried to use the showperc=f in many formats and it changes the bar chart wrong and doesnt remove the result column.

Can someone help with the last part to remove the percentage column but still display the right bar chart.

Tags (1)
0 Karma
1 Solution

FrankVl
Ultra Champion

Just add that inside the initial topcommand, don't add an additional top command.

(eventtype="wineventlog_system") source="inEventLog:" (host="*" OR ComputerName="*") TaskCategory="*" SourceName="*" EventCode="*" (Type="Error" OR Type="Warning") | sort -count | top showperc=f limit=10 host

View solution in original post

0 Karma

FrankVl
Ultra Champion

Just add that inside the initial topcommand, don't add an additional top command.

(eventtype="wineventlog_system") source="inEventLog:" (host="*" OR ComputerName="*") TaskCategory="*" SourceName="*" EventCode="*" (Type="Error" OR Type="Warning") | sort -count | top showperc=f limit=10 host

0 Karma

pboon
New Member

your a star!

0 Karma

FrankVl
Ultra Champion

It seems to work fine for me when I add showperc=f to a search like that. Is that bar chart part of a dashboard? Or are you running this as an ad hoc search and then opening the visualization panel?

0 Karma

pboon
New Member

Hi, how are you adding the showperc=f like this?
(eventtype="wineventlog_system") source="inEventLog:" (host="" OR ComputerName="") TaskCategory="" SourceName="" EventCode="*" (Type="Error" OR Type="Warning") * | sort -count | top limit=10 host | top hosts showperc=f

when I add this to my search the bar chart doesn't show the true info afterwards they all display 1 count only.
yes the bar chart is part of the dashboard.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...