Limit Search Results in Chart to Top 10

dmmaloy · ‎02-18-2020

I have a search that returns results for the previous three months for multiple entities. Due to the large number of entities I want to limit the search to the top 10.
This is the search:
sourcetype=escada_message Message=FAILED AOR_Group=Gas NOT ACKNOWLEDGD NOT DELETED | rex field=Message "(?[A-Za-z]+\s[A-Za-z]+)" | eval Month=strftime(_time,"%m/%Y") | chart count over Message by Month

nickhills · ‎02-18-2020

sourcetype=escada_message Message=FAILED AOR_Group=Gas NOT ACKNOWLEDGD NOT DELETED 
| rex field=Message "(?[A-Za-z]+\s[A-Za-z]+)" 
| eval Month=strftime(_time,"%m/%Y") 
| chart count over Message by Month limit=10 useother=false

This will give the top 10 months - possibly not what you are after, so switch the chart round for the top 10 messages

sourcetype=escada_message Message=FAILED AOR_Group=Gas NOT ACKNOWLEDGD NOT DELETED 
| rex field=Message "(?[A-Za-z]+\s[A-Za-z]+)" 
| eval Month=strftime(_time,"%m/%Y") 
| chart count over Month by Message limit=10 useother=false

useother=false prevents the output from rolling up other values into 'other'

If my comment helps, please give it a thumbs up!

dmmaloy · ‎02-18-2020

Using Message by Month doesn't reduce the number of results. Month by Message reduces the results but the results are organized by month.
I need it to display each station's monthly totals together to be viewed in a trend pattern by station.

Limit Search Results in Chart to Top 10

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms