上QQ阅读APP看书，第一时间看更新

Controlling the output of top

The default behavior for top is to show the 10 largest counts. The possible row count is the product of all fields specified, in this case, date_month and date_wday. Using our data in this example, there are eight possible combinations. If you would like to see less than ten rows (or, in our example, less than eight), add the argument limit, like so:

sourcetype=tm1* error | top limit=4 date_month date_wday

Arguments change the behavior of a command; they take the form of name=value. Many commands require the arguments to immediately follow the command name, so it's a good idea to always follow this structure.

Each command has different arguments, as appropriate. As you type in the search bar, a drop-down help box will appear for the last command in your search, as shown in the following screenshot:

The preceding screenshot lists Matching searches in the upper-left corner; if there are no matching searches, this section will not be displayed.

The Help option takes you to the documentation for that command at http://www.splunk.com, and More >> provides concise inline documentation.

Let's use a few arguments to make a shorter list but also roll all other results into another line:

sourcetype=tm1* error 
| top 
limit=4 
useother=true otherstr=everything else 
date_month date_wday

This produces results like what is shown in the following screenshot:

The last line represents everything that didn't fit into the top four. The top option useother enables this last row, while the option otherstr controls the value printed instead of the default value other.

The reader may review the Splunk documentation for additional information on the top command and options at:

http://docs.splunk.com/Documentation/Splunk/7.0.0/SearchReference/Top

For the opposite of top, see the rare command.