I'm trying to chart the top hits to a search while the rest are rolled up into an 'OTHER' column. Ideally I'd like the split to be based on a threshold value, otherwise setting the number of columns is fine. I've read through the docs on the chart function, tried a whole host of stuff, but I cannot get it right. One of the errors I keep getting is:> The following options were specified but have no effect when a split-by clause is not provided:limit
I also tried to set the **wherethresh-comp** parameter in chart function but I'm not sure of the syntax and I couldn't get it to work either.
This is the search command I'm using:
* | regex "\b[AC]\d{6,8}\b" | rex "\b(?[AC]\d{6,8})\b" | chart count by emp_number
↧