top command is very simple to use, but is actually doing a fair amount of interesting work. I often start with
top, then switch to
count, but then wish for something that
top provides automatically. This exercise will show you how to recreate all the elements, so that you might pick and choose what you need.
Let's recreate the
top command by using other commands.
Here is the query that we will replicate:
sourcetype="impl_splunk_gen" error | top useother=t limit=5 logger user
The output looks like this:
To build count, we can use
stats like this:
sourcetype="impl_splunk_gen" error | stats count by logger user
This gets us most of ...