https://community.splunk.com/t5/Getting-Data-In/Kindly-build-this-in-single-query/m-p/754404#M119764 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;</P><P>Could you pls validate my search <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="_Raj_0-1760610709233.png" style="width: 931px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/40567i1AD865B1D5F392E9/image-dimensions/931x378?v=v2" width="931" height="378" role="button" title="_Raj_0-1760610709233.png" alt="_Raj_0-1760610709233.png" /></span></P><P>Thanks&nbsp;</P> Thu, 16 Oct 2025 10:32:32 GMT _Raj 2025-10-16T10:32:32Z https://community.splunk.com/t5/Getting-Data-In/Kindly-build-this-in-single-query/m-p/754355#M119752 <P>Hi,</P><P>&nbsp;</P><P>Sample Data (CSV format) –&nbsp;<BR />student_id,student_name,class,school,subject,score<BR />1,Alice,10A,School1,Math,85<BR />2,Bob,10A,School1,Math,72<BR />3,Charlie,10B,School1,Science,90<BR />4,David,10A,School2,Math,65<BR />5,Eva,10B,School2,Science,88</P><P>How to achieve this&nbsp;Query : You need to get 2 ranks for students 1. At class level 2. At school level. Kindly build this in single query.</P> Wed, 15 Oct 2025 16:06:42 GMT https://community.splunk.com/t5/Getting-Data-In/Kindly-build-this-in-single-query/m-p/754355#M119752 _Raj 2025-10-15T16:06:42Z https://community.splunk.com/t5/Getting-Data-In/Kindly-build-this-in-single-query/m-p/754356#M119753 <P>What have you tried so far and how did those attempts not meet expectations?&nbsp; It would help to see a mock-up of the expected output.</P> Wed, 15 Oct 2025 16:38:04 GMT https://community.splunk.com/t5/Getting-Data-In/Kindly-build-this-in-single-query/m-p/754356#M119753 richgalloway 2025-10-15T16:38:04Z https://community.splunk.com/t5/Getting-Data-In/Kindly-build-this-in-single-query/m-p/754379#M119756 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/249545">@_Raj</a>&nbsp;</P><P>Based on your previous questions it sounds like you are working through some exam/course questions? Has there been guidance on how to work out this SPL?&nbsp;</P><P>Im therefore hesitant to just give an answer, but perhaps the following can help.&nbsp;</P><P>I would start by visualising the sample data using the makeresults command:</P><LI-CODE lang="markup">|makeresults format=csv data="student_id,student_name,class,school,subject,score 1,Alice,10A,School1,Math,85 2,Bob,10A,School1,Math,72 3,Charlie,10B,School1,Science,90 4,David,10A,School2,Math,65 5,Eva,10B,School2,Science,88"</LI-CODE><P>Then I would probably use stats to get the scores for each class, within each school...</P><P>Then if you want to retain the class scores but also get the score for each school then you might want to look at using <A href="https://help.splunk.com/en/splunk-enterprise/search/spl-search-reference/9.3/search-commands/eventstats" target="_self">eventstats</A> which will add a column to the existing stats.&nbsp;</P><P>Sorry for not providing the full SPL but hopefully this will help <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp;</P><P><span class="lia-unicode-emoji" title=":glowing_star:">🌟</span><SPAN>&nbsp;</SPAN><STRONG>Did this answer help you?</STRONG><SPAN>&nbsp;</SPAN>If so, please consider:</P><UL><LI>Adding karma to show it was useful</LI><LI>Marking it as the solution if it resolved your issue</LI><LI>Commenting if you need any clarification</LI></UL><P>Your feedback encourages the volunteers in this community to continue contributing</P> Wed, 15 Oct 2025 21:31:44 GMT https://community.splunk.com/t5/Getting-Data-In/Kindly-build-this-in-single-query/m-p/754379#M119756 livehybrid 2025-10-15T21:31:44Z https://community.splunk.com/t5/Getting-Data-In/Kindly-build-this-in-single-query/m-p/754386#M119757 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/249545">@_Raj</a>&nbsp;,</P><P>as also <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;and <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/170906">@livehybrid</a>&nbsp;said, your requirements aren't so clear, do you want to have the count of students for each class and for each school or what else?</P><P>and how do you want to display these results in the same table?</P><P>probably you could create different panels different searches in a dashboard.</P><P>Anyway, if you want to have the results in a single table (I don't understand why!), you could run something like this (resusing the data visualization of&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/170906">@livehybrid</a>&nbsp;<span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P><LI-CODE lang="markup">| makeresults format=csv data= "student_id,student_name,class,school,subject,score 1,Alice,10A,School1,Math,85 2,Bob,10A,School1,Math,72 3,Charlie,10B,School1,Science,90 4,David,10A,School2,Math,65 5,Eva,10B,School2,Science,88" | stats count(eval(class="10A")) AS 10A_count count(eval(class="10B")) AS 10B_count count(eval(school="School1")) AS School1_count count(eval(school="School2")) AS School2_count</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Thu, 16 Oct 2025 06:28:36 GMT https://community.splunk.com/t5/Getting-Data-In/Kindly-build-this-in-single-query/m-p/754386#M119757 gcusello 2025-10-16T06:28:36Z https://community.splunk.com/t5/Getting-Data-In/Kindly-build-this-in-single-query/m-p/754388#M119759 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/249545">@_Raj</a>&nbsp;</P><P>As others mentioned, its not completely clear. But to start with if you are looking both class-level and school-level ranks, i would suggest use streamstats to put both results into one table</P><P>eg:</P><LI-CODE lang="markup">| streamstats count as class_rank by class | streamstats count as school_rank by school</LI-CODE><P>Regards,<BR />Prewin<BR />If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!</P> Thu, 16 Oct 2025 06:48:14 GMT https://community.splunk.com/t5/Getting-Data-In/Kindly-build-this-in-single-query/m-p/754388#M119759 PrewinThomas 2025-10-16T06:48:14Z https://community.splunk.com/t5/Getting-Data-In/Kindly-build-this-in-single-query/m-p/754404#M119764 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;</P><P>Could you pls validate my search <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="_Raj_0-1760610709233.png" style="width: 931px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/40567i1AD865B1D5F392E9/image-dimensions/931x378?v=v2" width="931" height="378" role="button" title="_Raj_0-1760610709233.png" alt="_Raj_0-1760610709233.png" /></span></P><P>Thanks&nbsp;</P> Thu, 16 Oct 2025 10:32:32 GMT https://community.splunk.com/t5/Getting-Data-In/Kindly-build-this-in-single-query/m-p/754404#M119764 _Raj 2025-10-16T10:32:32Z https://community.splunk.com/t5/Getting-Data-In/Kindly-build-this-in-single-query/m-p/754419#M119765 <P>I can confirm the search produces the results shown.&nbsp; I cannot verify these are the right results because you have said what the desired results are.&nbsp; Nor can I test the search myself because the query is in a screenshot rather than in a code box.</P> Thu, 16 Oct 2025 14:46:46 GMT https://community.splunk.com/t5/Getting-Data-In/Kindly-build-this-in-single-query/m-p/754419#M119765 richgalloway 2025-10-16T14:46:46Z https://community.splunk.com/t5/Getting-Data-In/Kindly-build-this-in-single-query/m-p/754430#M119767 <P>Hi,</P><P>Could any one please help me in correcting the macros to get the ranking logic.<BR /><BR />defination :</P><P>&nbsp;</P><P>| eval $score_field$ = tonumber($score_field$)<BR />| stats avg($score_field$) AS avg_score by $class_field$<BR />| sort - avg_score<BR />| streamstats count AS rank<BR />| eval avg_score = round(avg_score,2)</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="macros.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/40570iFC6EF3C97E16454F/image-size/large?v=v2&amp;px=999" role="button" title="macros.png" alt="macros.png" /></span></P><P>thanks..</P> Fri, 17 Oct 2025 11:02:11 GMT https://community.splunk.com/t5/Getting-Data-In/Kindly-build-this-in-single-query/m-p/754430#M119767 _Raj 2025-10-17T11:02:11Z https://community.splunk.com/t5/Getting-Data-In/Kindly-build-this-in-single-query/m-p/754432#M119768 <P>Change the name field to "class_ranking(2)".&nbsp; The number of Arguments must be included in the macro name (unless there are no arguments).</P> Fri, 17 Oct 2025 12:06:50 GMT https://community.splunk.com/t5/Getting-Data-In/Kindly-build-this-in-single-query/m-p/754432#M119768 richgalloway 2025-10-17T12:06:50Z https://community.splunk.com/t5/Getting-Data-In/Kindly-build-this-in-single-query/m-p/754467#M119774 <P>Hello,</P><P>|makeresults format=csv data="student_id,student_name,class,school,subject,score<BR />1,Alice,10A,School1,Math,85<BR />2,Bob,10A,School1,Math,72<BR />3,Charlie,10B,School1,Science,90<BR />4,David,10A,School2,Math,65<BR />5,Eva,10B,School2,Science,88"<BR />| top score class school<BR />| streamstats count as ClassLevel by class<BR />| streamstats count as SchoolLevel by school</P><P>&nbsp;</P><P>Thank You!</P> Sun, 19 Oct 2025 21:03:49 GMT https://community.splunk.com/t5/Getting-Data-In/Kindly-build-this-in-single-query/m-p/754467#M119774 vjdev 2025-10-19T21:03:49Z