Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to limit my search to return only the top 10 events displaying count and percentage?

jalalallam
New Member
‎09-22-2014 10:27 AM

Hello,

I would like to create a search that select the top 10 events

Like this:

event count percent

[Mon Sep 22 17:14:36 2014] [error] [client XXX] File does not exist: /var/www/html/home-store 1000 30
[Mon Sep 22 15:53:37 2014] [error] [client XXX] Bean "Hits_Bean_List.__isset" does not support attrib 500 20

Any suggestions? Any idea is welcome.

Thanks

Tags (3)
0 Karma
Reply

ndoshi
Splunk Employee
Splunk Employee
‎09-22-2014 10:36 AM

First, if timestamp does not matter, you may want to extract a fields, say called raw, that has only the event. I'm assuming the pattern above are for all your events. Example props.conf

[Insert Name of your sourcetype]
EXTRACT-raw=^\[.*?\](?P<raw>.*)

Then, simply run the search:

sourcetype="Insert name of your sourcetype"|top raw limit=10

I'm not sure if this answers your question I don't know if all your events follow the pattern above. Nevertheless, the top command can get you there.

0 Karma
Reply

ndoshi
Splunk Employee
Splunk Employee
‎09-23-2014 02:03 PM

Sorry, I had two typos in there. Change that in props.conf to what is now listed in the answer.

You can use http://regex101.com/ to test a regex (remove the ?P in the test regex). BTW, you should put your props.conf in $SPLUNK_HOME/etc/apps/search/local/props.conf

Your search would be: sourcetype=splunk_web_service|top raw limit=10

This assumes that your source "/var/log/httpd/*-error_log" is indeed tied to this sourcetype.

0 Karma
Reply

jalalallam
New Member
‎09-23-2014 10:22 AM

Thank you for reply,

I tried to update the config file:
splubk/etc/apps/search/default/props.conf
[splunk_web_service]
EXTRACT-raw=^[.?](?.8)

And tried to search through the browser
source="/var/log/httpd/*-error_log" | top raw limit=10

but no luck:
No results found.

I want to find the top 10 raw repeated in any log file such as Apache error log.

Can you help me?

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...