https://community.splunk.com/t5/Splunk-Search/How-to-get-the-top-10-max-values-for-each-field-value/m-p/394377#M114558 <P>Ended up using two lists, one with the instance name and one with the value. Then used mvindex to trim them down to just the top ones:</P> <PRE><CODE>index=perfmon sourcetype=perfmon:process host=SCUBIP10 | stats max(Value) as maxCounterInstance by counter, instance | sort counter - maxCounterInstance | stats list(instance) as instances, list(maxCounterInstance) as maxValues by counter | eval topValue = mvindex(maxValues, 0, 4) | eval topInstance = mvindex(instances, 0, 4) | fields - instances, - maxValues </CODE></PRE> <P>Here is a sample result:</P> <PRE><CODE>% Privileged Time Idle 100 _Total 100 System 6.06 XDMService#1 3.03 WmiPrvSE#6 1.92 % Processor Time Idle 100 _Total 100 ccSvcHst 33.33 XDMService#1 12.12 System 6.06 </CODE></PRE> <P>Works well, thanks.</P> Wed, 08 Aug 2018 17:17:15 GMT tjago11 2018-08-08T17:17:15Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-top-10-max-values-for-each-field-value/m-p/394374#M114555 <P>Trying to analyze some windows perfmon data. The data looks like this:<BR /> counter -&gt; name of performance metric (ie. % Privileged Time)<BR /> instance -&gt; name of process that has metric (ie. svchost.exe)<BR /> Value -&gt; value of performance metric (ie. 75.00)</P> <P>Looking for a way to find the top ten instances that have the highest value for each of the counters. I can easily do this for a single counter:</P> <PRE><CODE>index=perfmon sourcetype=perfmon:process counter="% Privileged Time" | fields counter, instance, Value | stats max(Value) as counterInstanceMax by counter, instance | sort 5 counter - counterInstanceMax </CODE></PRE> <P>I can append all the individual counter results together but I'm looking for a search that does it for me. So this works but I hate it:</P> <PRE><CODE>index=perfmon sourcetype=perfmon:process counter="% Privileged Time" | fields counter, instance, Value | stats max(Value) as counterInstanceMax by counter, instance | sort 5 counter - counterInstanceMax | append [ search index=perfmon sourcetype=perfmon:process counter="% Processor Time" | fields counter, instance, Value | stats max(Value) as counterInstanceMax by counter, instance | sort 5 counter - counterInstanceMax] | append [ search index=perfmon sourcetype=perfmon:process counter="% User Time" | fields counter, instance, Value | stats max(Value) as counterInstanceMax by counter, instance | sort 5 counter - counterInstanceMax] </CODE></PRE> <P>Here are the results of the big append query, which is what I want but would prefer a different method:</P> <PRE><CODE>1 % Privileged Time Idle 100 2 % Privileged Time _Total 100 3 % Privileged Time ccSvcHst#1 100.00000000000000000 4 % Privileged Time csrss#3 100 5 % Privileged Time vmtoolsd 100 6 % Processor Time Idle 100 7 % Processor Time SCNotification 100.0000000000000000 8 % Processor Time SmcGui 100.0000000000000000 9 % Processor Time _Total 100 10 % Processor Time ccSvcHst#1 100 11 % User Time ccSvcHst#1 100.0000000000000000 12 % User Time vmtoolsd 100.000000000000000000 13 % User Time _Total 60.6052378440438100 14 % User Time csrss#3 40.895846326026990 15 % User Time explorer 11.308819241280776000 </CODE></PRE> Tue, 07 Aug 2018 16:01:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-top-10-max-values-for-each-field-value/m-p/394374#M114555 tjago11 2018-08-07T16:01:16Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-top-10-max-values-for-each-field-value/m-p/394375#M114556 <P>have you tried just dropping the counter= from the search and let it do all of them?</P> <PRE><CODE> index=perfmon sourcetype=perfmon:process | fields counter, instance, Value | stats max(Value) as counterInstanceMax by counter, instance </CODE></PRE> <P>that might be closer and you can go from there?</P> Tue, 07 Aug 2018 20:26:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-top-10-max-values-for-each-field-value/m-p/394375#M114556 kmaron 2018-08-07T20:26:13Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-top-10-max-values-for-each-field-value/m-p/394376#M114557 <P>That works but there are 100's of "instance" values which makes it hard to view the data in a table and impossible to view in a chart. Ideally I would get the top 10 counter + instance combinations.</P> Wed, 08 Aug 2018 17:08:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-top-10-max-values-for-each-field-value/m-p/394376#M114557 tjago11 2018-08-08T17:08:24Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-top-10-max-values-for-each-field-value/m-p/394377#M114558 <P>Ended up using two lists, one with the instance name and one with the value. Then used mvindex to trim them down to just the top ones:</P> <PRE><CODE>index=perfmon sourcetype=perfmon:process host=SCUBIP10 | stats max(Value) as maxCounterInstance by counter, instance | sort counter - maxCounterInstance | stats list(instance) as instances, list(maxCounterInstance) as maxValues by counter | eval topValue = mvindex(maxValues, 0, 4) | eval topInstance = mvindex(instances, 0, 4) | fields - instances, - maxValues </CODE></PRE> <P>Here is a sample result:</P> <PRE><CODE>% Privileged Time Idle 100 _Total 100 System 6.06 XDMService#1 3.03 WmiPrvSE#6 1.92 % Processor Time Idle 100 _Total 100 ccSvcHst 33.33 XDMService#1 12.12 System 6.06 </CODE></PRE> <P>Works well, thanks.</P> Wed, 08 Aug 2018 17:17:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-top-10-max-values-for-each-field-value/m-p/394377#M114558 tjago11 2018-08-08T17:17:15Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-top-10-max-values-for-each-field-value/m-p/394378#M114559 <P>How to add _time to the final output?</P> Fri, 14 Dec 2018 00:14:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-top-10-max-values-for-each-field-value/m-p/394378#M114559 Amulya888 2018-12-14T00:14:39Z