Rebuilding top

The top command is very simple to use, but is actually doing a fair amount of interesting work. I often start with top, then switch to stats count, but then wish for something that top provides automatically. This exercise will show you how to recreate all of the elements, so that you might pick and choose what you need.

Let's recreate the top command by using other commands.

Here is the query that we will replicate:

sourcetype="impl_splunk_gen" error
  | top useother=t limit=5 logger user

The output looks like this:

To build count, we can use stats like this:

sourcetype="impl_splunk_gen" error
  | stats count by logger user

This gets us

Get Implementing Splunk: Big Data Reporting and Development for Operational Intelligence now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Implementing Splunk: Big Data Reporting and Development for Operational Intelligence by Vincent Bumgarner

Rebuilding top

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly