I get it, SPL is a very wide language. With so many commands, arguments, functions, you name it. It’s a lot to learn and definitely a lot to remember. But what if I told you there were a couple of commands, that can almost do it all for you.
Let’s take a look at this search…
index=main| stats count as count by user | sort – count | head 10
A relatively easy search, for sure. But what if I could make it easier for you? Allow me to introduce the TOP, or Rare, Splunk Search Commands. TOP allows you to easily find the most common values in fields. It will also help you find information behind your event values like count and percentage of the frequency.
Now, we can explore the syntax for TOP Search Command.
|top <options> field <by-clause>
Here are the options:
- Limit = limit the number of results
- Showperc = show the activity percent field of the value
Field = filed you want to find the top values of
By-clause = a field you want to filter by
Now, let’s show the value in this search. Take the same search referenced above used with the new commands:
Index=main| top limit=10 user
And blam, same results, less… search.
Ask the Experts
Our Splunk Search Command of the Week series is created by our Expertise on Demand (EOD) experts. Every day, our team of Splunk certified professionals works with customers through Splunk troubleshooting support, including Splunk search command best practice. If you’re interested in learning more about our EOD service or chat with our team of experts, fill out the form below!