Hi All,
I have a requirement to use TOP 4 in the timechart command:
Below is my search:
index=_internal |timechart count by sourcetype limit=5 span=1d|addcoltotals
(7DAYS DATA)
I need the top 4 column values of (sourcetype) as shown in the screenshot like SPLUNKD,SPLUNK_UI_ACCESS,SPLUNK_WEB_ACCESS,SPLUNK_WEB_SERVICE only
![alt text][1]
Thanks
PR
[1]: /storage/temp/129181-untitled.png
↧