Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Not able to limit the no of entries in search result

ppurokit
Path Finder
‎07-19-2013 01:21 AM

Hi All,

I have been writing some search queries and now i have written a search query for which im getting a no of entries.

By requirement is that i need to limit the no of search results which i'm getting.

The search query is as follow:

(XXXXXX OR XXXXXXX) | rex "for [\w\d\-\.]+:(?<src_ip>\d+\.\d+\.\d+\.\d+)/(?<src_port>\d+)\s+to\s+[\w\d\-\.]+:(?<dest_ip>\d+\.\d+\.\d+\.\d+)/(?<dest_port>\d+)" | rex "bytes\s+(?<bytes>\d+)" | eval mbytes= round((bytes/1024/1024),3) | top limit=15 mbytes by dest_ip | rename mbytes as "Total MBytes", dest_ip as "Destination Address" | fields - percent, - count  | sort -"Total MBytes" | addcoltotals "Total MBytes" labelfield="Destination Address" label=Total

I have used a "top limit=15" in the search query, but though i receive a search result of 450+.

I also tried using "stats sum(mbytes)" but was not able to limit the search result.

Please let me know if I'am missing anything in the above query or is there any other way to achieve this?

Also please let me know how can i convert the same into a chart.

I know i can just click on the graph icon and convert it into a chart , but if you can provide the exact chart command it will be more useful.

Thanks in Adavance
Prasanna

0 Karma
Reply

amit_saxena
Communicator
‎07-28-2013 06:44 AM

Hi,

I would suggest using the following modified query.

(XXXXXX OR XXXXXXX) | rex "for [\w\d\-\.]+:(?<src_ip>\d+\.\d+\.\d+\.\d+)/(?<src_port>\d+)\s+to\s+[\w\d\-\.]+:(?<dest_ip>\d+\.\d+\.\d+\.\d+)/(?<dest_port>\d+)" | rex "bytes\s+(?<bytes>\d+)" | eval mbytes= round((bytes/1024/1024),3) | table dest_ip, mbytes | sort -mbytes | head 15 | rename mbytes as "Total MBytes", dest_ip as "Destination Address"

This will help in getting the data in tabular form as you want. I haven't tried this but I feel that the search results in tabular format can be directly converted into chart also.

Let me know if it works for you.

Regards,
Amit Saxena

0 Karma
Reply

Ayn
Legend
‎07-19-2013 01:42 AM

The reason you're getting more than 15 results is that you're doing top limit=15 BUT also by dest_ip, which tells top to grab each dest_ip's top 15 mbytes values. Depending on what you actually want you might instead want to do something like top 1 mbytes by dest_ip | sort - mbytes to get the IP's with the highest mbytes values, and then do | head 15 to only get the first 15.

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...