Databases Reference
In-Depth Information
This gives us:
We're almost done! All that's left to do is hide the
rownum
column. We can use
fields
for this purpose:
sourcetype="impl_splunk_gen" error
| stats count by logger user
| eventstats sum(count) as totalcount
| eval percent=count/totalcount*100
| sort -count
| eval rownum=1
| accum rownum
| eval logger=if(rownum>5,"OTHER",logger)
| eval user=if(rownum>5,"OTHER",user)
| eval rownum=if(rownum>5,6,rownum)
| stats
sum(count) as count
sum(percent) as percent
by rownum logger user
| fields - rownum
This finally gives us what we are after:
Search WWH ::
Custom Search