Quick Reporting
Count it up
So far we've shown that the summarize and eventstats operators are great for running statistical calculations against aggregated data, but there are some aggregatons that we do so often that the geniuses on the Cribl engineering team have decided to make them even easier to run (TYSM engineering team! 🙏 🙌).
The top operator sorts events by specified field, then limits the results to a specified number of results.
The top-hitters operator make our jobs much easier by allowing us to count distinct value combinations (similar to summarize), sorts them in descending order, then limits the number of results to a specified amount.
- Clear the query box.
- Enter the following query:
dataset="cribl_search_sample" dataSource="vpcflowlogs"
| limit 100000
| project srcaddr, dstaddr, toint(packets)
| top 3 by "packets" - Click
SEARCH
Once again, let's break down this search. First we define our scope of events with dataset="cribl_search_sample" dataSource="vpcflowlogs" | limit 100000.
Next we specify the 3 fields that we want to include using | project srcaddr, dstaddr, toint(packets).
And finally, we use the top operator to identify the events with the highest packets count, sort them, and then return the top 3 events.
With the top-hitters operator we'll count the number of events with the same value for a particular field and show the top occurring values.
- Clear the query box.
- Enter the following query:
dataset="cribl_search_sample" dataSource="access_combined"
| limit 100000
| top-hitters 3 of status - Click
SEARCH.
With that, you should be able to quickly view the top 3 occurring http status codes for the access_combined data.
You can easily perform a top-hitters search by selecting a field in the field browser to the left of the results pane and clicking Top 10 values.