I have a search that returns results for the previous three months for multiple entities. Due to the large number of entities I want to limit the search to the top 10.
This is the search:
sourcetype=escada_message Message=FAILED AOR_Group=Gas NOT ACKNOWLEDGD NOT DELETED | rex field=Message "(?[A-Za-z]+\s[A-Za-z]+)" | eval Month=strftime(_time,"%m/%Y") | chart count over Message by Month
sourcetype=escada_message Message=FAILED AOR_Group=Gas NOT ACKNOWLEDGD NOT DELETED
| rex field=Message "(?[A-Za-z]+\s[A-Za-z]+)"
| eval Month=strftime(_time,"%m/%Y")
| chart count over Message by Month limit=10 useother=false
This will give the top 10 months - possibly not what you are after, so switch the chart round for the top 10 messages
sourcetype=escada_message Message=FAILED AOR_Group=Gas NOT ACKNOWLEDGD NOT DELETED
| rex field=Message "(?[A-Za-z]+\s[A-Za-z]+)"
| eval Month=strftime(_time,"%m/%Y")
| chart count over Month by Message limit=10 useother=false
useother=false prevents the output from rolling up other values into 'other'
Using Message by Month doesn't reduce the number of results. Month by Message reduces the results but the results are organized by month.
I need it to display each station's monthly totals together to be viewed in a trend pattern by station.