https://community.splunk.com/t5/Splunk-Search/How-to-append-search-result-with-top-100-results/m-p/411734#M118739 <P>I will try to explain my issue in the easiest possible way.</P> <P>I have a result of a search that looks like this:</P> <PRE><CODE>name1, name2, size A A 25 A B 25 A C 25 B B 18 C C 15 C D 15 </CODE></PRE> <P>In the real project, the search is more complex but it follow this logic: A can have multiple B and always have the size of A.</P> <P>I will need to retrieve the top 100 sizes but as this example is short, I would love to get the top 2 sizes and keep data from all other columns.</P> <PRE><CODE>name1, name2, size A A 25 A B 25 A C 25 B B 18 </CODE></PRE> <P>I really don't want to append this search with subsearch as search leading to this data is already very complex and takes a lot of time. <BR /> Is there any simple trick on how to achieve this?</P> Tue, 23 Jul 2019 13:50:27 GMT seva98 2019-07-23T13:50:27Z https://community.splunk.com/t5/Splunk-Search/How-to-append-search-result-with-top-100-results/m-p/411734#M118739 <P>I will try to explain my issue in the easiest possible way.</P> <P>I have a result of a search that looks like this:</P> <PRE><CODE>name1, name2, size A A 25 A B 25 A C 25 B B 18 C C 15 C D 15 </CODE></PRE> <P>In the real project, the search is more complex but it follow this logic: A can have multiple B and always have the size of A.</P> <P>I will need to retrieve the top 100 sizes but as this example is short, I would love to get the top 2 sizes and keep data from all other columns.</P> <PRE><CODE>name1, name2, size A A 25 A B 25 A C 25 B B 18 </CODE></PRE> <P>I really don't want to append this search with subsearch as search leading to this data is already very complex and takes a lot of time. <BR /> Is there any simple trick on how to achieve this?</P> Tue, 23 Jul 2019 13:50:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-append-search-result-with-top-100-results/m-p/411734#M118739 seva98 2019-07-23T13:50:27Z https://community.splunk.com/t5/Splunk-Search/How-to-append-search-result-with-top-100-results/m-p/411735#M118740 <P>@seva98,</P> <P>Give this a try</P> <PRE><CODE>"your search"|sort - size|eventstats list(size) size_list|eval size_list=mvdedup(size_list) |eval hundredth=mvindex(size_list,99) |where size &gt;=hundredth | fields - size_list,hundredth </CODE></PRE> Tue, 23 Jul 2019 14:24:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-append-search-result-with-top-100-results/m-p/411735#M118740 renjith_nair 2019-07-23T14:24:32Z https://community.splunk.com/t5/Splunk-Search/How-to-append-search-result-with-top-100-results/m-p/411736#M118741 <P>Almost, I have another issue when two different name1 have the same size for example name1=D =&gt; size=10, name1=E =&gt; size=10. Unfortunatelly mvdedup count them as one.</P> Tue, 23 Jul 2019 19:50:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-append-search-result-with-top-100-results/m-p/411736#M118741 seva98 2019-07-23T19:50:34Z https://community.splunk.com/t5/Splunk-Search/How-to-append-search-result-with-top-100-results/m-p/411737#M118742 <P>Fixed it, thanks to @renjith.nair explanation. His solution just had issue for data where multiple name1 can have same size. There may be some extra unnecessary code but it works.</P> <P>Sorting is done first so I get the biggest nodes at the top.<BR /> Then I cut the list to desired size (97 in this case)<BR /> Then I am looking if name1 is in filteredList.</P> <PRE><CODE>| eval parent=if(name1=name2, 1, 0) | sort name | sort -size | sort -parent | eventstats list(name1) as uniquelist | eval filteredlist=mvindex(uniquelist, 0, 96) | eval find_match = if(match(name1, filteredlist), 1, 0) | where name1=filteredlist | fields - filteredlist, uniquelist </CODE></PRE> Wed, 24 Jul 2019 06:14:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-append-search-result-with-top-100-results/m-p/411737#M118742 seva98 2019-07-24T06:14:21Z