Splunk 简明教程
Splunk - Top Command
很多时候,我们对查找字段中可用的最常见值感兴趣。Splunk 中的 top 命令有助于我们实现此目标。它还帮助查找事件中值出现的次数和频率的百分比。
Many times, we are interested in finding the most common values available in a field. The top command in Splunk helps us achieve this. It further helps in finding the count and percentage of the frequency the values occur in the events.
Top Values for a Field
在其最简单的形式中,我们只获取与事件总数相比的该计数和该计数的百分比。在下面的示例中,我们找到了 8 个最顶级产品 ID 值。
In its simplest form, we just get the count and the percentage of such count as compared to the total number of events. In the below example, we find 8 top most productid values.
Top Values for a Field by a Field
接下来,我们还可以包含另一个字段作为此顶部命令的 by 子句的一部分,为每个 field2 组显示 field1 的结果。在下面的搜索中,我们找到了每个文件名的前 3 个产品 ID。请注意每个文件名重复 3 次,显示该文件的不同产品 ID。
Next, we can also include another field as part of this top command’s by clause to display the result of field1 for each set of field2. In the below search, we find top 3 productids for each file name. Note how the file names are repeated 3 times showing different productid for that file.
Show Options
我们还可以使用 Top 命令在 Splunk 中提供的其他选项来决定显示特定列。在下面的命令中,我们禁用显示百分比选项,并且只按文件名显示最热门的产品 ID。
We can also decide to show specific columns by using additional options available in Splunk with the Top Command. In the below command, we disable to show the percentage option and display only the top product ID by File name.
