https://community.splunk.com/t5/Splunk-Search/How-to-find-top-20-results-and-then-do-a-subsequent-search/m-p/430867#M123164 <P>Like this:</P> <PRE><CODE>index=YouShouldAlwaysSpecifyAnIndex sourcetype=site_data [search index=YouShouldAlwaysSpecifyAnIndex sourcetype=site_data | top limit=20 "Site Name" | table "Site Name" | format] | top limit=1 Product BY "Site Name" </CODE></PRE> Mon, 24 Jun 2019 01:33:44 GMT woodcock 2019-06-24T01:33:44Z https://community.splunk.com/t5/Splunk-Search/How-to-find-top-20-results-and-then-do-a-subsequent-search/m-p/430864#M123161 <P>I need to find out the Top 20 sites within my sourcetype and then from there be able to do further analysis on other fields such as Product. <BR /> Are there a non-destructive stats command I can use for this?</P> <P>i.e.</P> <PRE><CODE>sourcetype=site_data | stats count by "Site Name" | head 20 </CODE></PRE> <P>and then a subsequent search to find out of those twenty sites what is the top product logged?</P> <P>Thanks,<BR /> Jack</P> Fri, 21 Jun 2019 08:13:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-top-20-results-and-then-do-a-subsequent-search/m-p/430864#M123161 jackreeves 2019-06-21T08:13:38Z https://community.splunk.com/t5/Splunk-Search/How-to-find-top-20-results-and-then-do-a-subsequent-search/m-p/430865#M123162 <P>You could use a subsearch:</P> <PRE><CODE>sourcetype=site_data [|search sourcetype=site_data | top 20 "Site Name" | fields "Site Name"] &lt;put the rest of your search here&gt; </CODE></PRE> <P><A href="https://docs.splunk.com/Documentation/Splunk/7.3.0/Search/Usesubsearchtocorrelateevents">https://docs.splunk.com/Documentation/Splunk/7.3.0/Search/Usesubsearchtocorrelateevents</A></P> Fri, 21 Jun 2019 16:59:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-top-20-results-and-then-do-a-subsequent-search/m-p/430865#M123162 spayneort 2019-06-21T16:59:40Z https://community.splunk.com/t5/Splunk-Search/How-to-find-top-20-results-and-then-do-a-subsequent-search/m-p/430866#M123163 <P>To add on to this answer, the subsearch provided by spayneort effectively returns the top 20 "Site Name" values as 20 "OR" seperated field=value pairs. </P> <P>To further understand it, Splunk performs the subsearch first then essentially modifies your search to be:<BR /> sourcetype=site_data "Site Name"=<A href="https://url1">https://url1</A> OR "Site Name"=<A href="https://url2">https://url2</A> OR "Site Name"=<A href="http://url2">http://url2</A> OR ....</P> Fri, 21 Jun 2019 20:02:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-top-20-results-and-then-do-a-subsequent-search/m-p/430866#M123163 danielansell 2019-06-21T20:02:13Z https://community.splunk.com/t5/Splunk-Search/How-to-find-top-20-results-and-then-do-a-subsequent-search/m-p/430867#M123164 <P>Like this:</P> <PRE><CODE>index=YouShouldAlwaysSpecifyAnIndex sourcetype=site_data [search index=YouShouldAlwaysSpecifyAnIndex sourcetype=site_data | top limit=20 "Site Name" | table "Site Name" | format] | top limit=1 Product BY "Site Name" </CODE></PRE> Mon, 24 Jun 2019 01:33:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-top-20-results-and-then-do-a-subsequent-search/m-p/430867#M123164 woodcock 2019-06-24T01:33:44Z https://community.splunk.com/t5/Splunk-Search/How-to-find-top-20-results-and-then-do-a-subsequent-search/m-p/430868#M123165 <P>P.S. field names with spaces are <EM>E*V*I*L</EM>!</P> Wed, 30 Sep 2020 01:02:33 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-top-20-results-and-then-do-a-subsequent-search/m-p/430868#M123165 woodcock 2020-09-30T01:02:33Z https://community.splunk.com/t5/Splunk-Search/How-to-find-top-20-results-and-then-do-a-subsequent-search/m-p/430869#M123166 <P>Thanks guys this has worked as expected! Knew there must be a simple solution.</P> Mon, 24 Jun 2019 07:39:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-top-20-results-and-then-do-a-subsequent-search/m-p/430869#M123166 jackreeves 2019-06-24T07:39:20Z