top returns the most common values not the max values. If you add additional 2:4 to the test data then 2:4 replaces 2:8 in the results. Thanks though. The code to create the test table is really useful.
... View more
I have a data set that looks like this:
X Y
1 5
1 4
1 3
1 2
1 1
2 10
2 9
2 8
2 4
I would like to select the maximum 3 values in Y for each value of X:
X Y
1 5
1 4
1 3
2 10
2 9
2 8
I'm looking at sort and top, sort allows me to sort on each field, but the count argument seems to only work on the total number of results returned. Top is looking for the most common values, not the maximum values. Am I missing something?
Thanks,
pk
... View more
Thanks so much for the info. At least I know where I stand. I have also found through a little experimenting in the UI that the match_type parameter is not preserved when I clone a definition where it is set. That seems like a bug to me...
... View more
So the only way to do this in versions prior to 7 is to manually edit that transform.conf file? Is a match_type of CIDR supported in 6.5 and just not available via the UI or is the feature absent altogether?
... View more
I'm running Splunk 6.5. I see Min Matches, Max Matches, and Default Matches. I would like to define a lookup table that uses CIDR ranges. Is this a permissions issue, a version issue, or a configuration issue? I've see screen shots that suggest their should be match_type field in advanced options. I don't have access to modify transforms.conf directly.
Thanks.
pk
... View more