What does splunk count when more than one field is used in the 'top' command?

Question

When I type this search query in splunk search head:

index=main sourcetype=mySrcType | top fieldA fieldB

Splunk automatically adds count column to the resulting table. Now, what is this count? is it a simple sum of each field count?

score 1 · Accepted Answer · answered Jul 31 '17 at 12:57

1

The count is showing you the number of times thatt field value pair show up in the time range and query you ran. If you want to exclude it, you can add

| fields - count

answered Jul 31 '17 at 12:57

skoelpin

212
1
5

score 0 · Answer 2 · answered Jul 30 '17 at 13:08

0

Top counts the most common 10 values of each of the fields you list after it's command

You can read more about it on its documentation page http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Top

answered Jul 30 '17 at 13:08

Joao Figueiredo

3,120
3
31
40

What does splunk count when more than one field is used in the 'top' command?

2 Answers2