https://community.splunk.com/t5/Splunk-Search/Get-top-5-field-values-by-percent-for-multiple-fields-in-a/m-p/58194#M14219 <P>Ah, I see. Updating my answer.</P> Wed, 12 Sep 2012 19:02:22 GMT Ayn 2012-09-12T19:02:22Z https://community.splunk.com/t5/Splunk-Search/Get-top-5-field-values-by-percent-for-multiple-fields-in-a/m-p/58191#M14216 <P>I have a simple need that I cannot solve. For a generic search of source=whatever filter1 filter2 filterx | I want to see for N number of fields, the top, say, 5 values, by percentage (not count).</P> <P>For example: Say I am looking at a web storefront and want transaction data. Assuming that all fields are reported 100% of the time, data I am interested in is say, top 5 of the following fields; creditCardBrand, webBrowser, shipToCity, orderHour, and ipAddress. For the last 24 hours, source=transactions successful=True orderStatus=Complete shipped=True |</P> <P>The results I want need to look something like this:<BR /> <PRE><BR /> <B>Top cCardBrand Percent webBrowser Percent shipToCity Percent orderHour Percent</B><BR /> 1 Visa 35.00 MSIE 42.00 Austin 10.00 21 13.56<BR /> 2 Mastercard 35.00 Chrome 25.23 Boston 9.85 22 13.01<BR /> 3 Discover 20.00 FireFox 19.50 New York 9.84 18 11.78<BR /> 4 Amex 10.00 Safari 13.00 Miami 5.54 5 10.52<BR /> 5 Opera 00.27 Denver 3.22 20 4.45</PRE></P> <P><BR /> NOTE: All 4 of these fields appear and report these percentages on the right-hand side as selected fields. I am merely trying to select some of the fields and report back the top 5 values (percentages) of each. Calculating percents takes a while, so this is fine to be scheduled to run overnight.</P> Wed, 12 Sep 2012 17:29:14 GMT https://community.splunk.com/t5/Splunk-Search/Get-top-5-field-values-by-percent-for-multiple-fields-in-a/m-p/58191#M14216 jluste 2012-09-12T17:29:14Z https://community.splunk.com/t5/Splunk-Search/Get-top-5-field-values-by-percent-for-multiple-fields-in-a/m-p/58192#M14217 <P>You could run <CODE>top</CODE> with no limit, then sort by the <CODE>percent</CODE> field and grab the first N items in the list.</P> <PRE><CODE>... | top 0 creditCardBrand webBrowser shipToCity orderHour ipAddress | sort - percent | head 5 </CODE></PRE> <P>EDIT: OK, I misunderstood your original question. You want to grab the top fields by percentage <EM>separately</EM>. For this my best advice would be to use <CODE>appendcols</CODE>. The caveats I can think of is that you will actually need to spawn one search for each field you want to grab the top values by percentage for, and you need to call the percentage fields different names in order to not have them overwrite each other. So something like this should get you going in the right direction:</P> <PRE><CODE>... | top limit=5 percentfield=ccpercent creditCardBrand | appendcols [search ... | top limit=5 percentfield=browserpercent webBrowser] | appendcols [search ... | top limit=5 percentfield=citypercent shipToCity] | ... </CODE></PRE> Wed, 12 Sep 2012 18:26:40 GMT https://community.splunk.com/t5/Splunk-Search/Get-top-5-field-values-by-percent-for-multiple-fields-in-a/m-p/58192#M14217 Ayn 2012-09-12T18:26:40Z https://community.splunk.com/t5/Splunk-Search/Get-top-5-field-values-by-percent-for-multiple-fields-in-a/m-p/58193#M14218 <P>That only gives me one percentage, which is where all of the vales in that row coincide. Example, 0.249% of my transactions were charged to Visa, ordered on MSIE at 11pm and shipped to Austin. It doesn't treat each field value as a separate entity. I need each value's percentage to the search, which means a percentage after every value.</P> Wed, 12 Sep 2012 18:44:16 GMT https://community.splunk.com/t5/Splunk-Search/Get-top-5-field-values-by-percent-for-multiple-fields-in-a/m-p/58193#M14218 jluste 2012-09-12T18:44:16Z https://community.splunk.com/t5/Splunk-Search/Get-top-5-field-values-by-percent-for-multiple-fields-in-a/m-p/58194#M14219 <P>Ah, I see. Updating my answer.</P> Wed, 12 Sep 2012 19:02:22 GMT https://community.splunk.com/t5/Splunk-Search/Get-top-5-field-values-by-percent-for-multiple-fields-in-a/m-p/58194#M14219 Ayn 2012-09-12T19:02:22Z https://community.splunk.com/t5/Splunk-Search/Get-top-5-field-values-by-percent-for-multiple-fields-in-a/m-p/58195#M14220 <P>This worked! I got the results I was looking for. Only issue is that some of the placement is wonky. Example: the orderHour percentage is 4 columns to the left of orderHour and webBrowser percent comes before webBrowser.</P> <P>Is there an easy way to force the order be maintained?</P> Thu, 13 Sep 2012 14:18:43 GMT https://community.splunk.com/t5/Splunk-Search/Get-top-5-field-values-by-percent-for-multiple-fields-in-a/m-p/58195#M14220 jluste 2012-09-13T14:18:43Z https://community.splunk.com/t5/Splunk-Search/Get-top-5-field-values-by-percent-for-multiple-fields-in-a/m-p/58196#M14221 <P>You can add <CODE>| table &lt;yourfields&gt;</CODE> at the end to force a list of fields with the order you want.</P> Thu, 13 Sep 2012 17:55:28 GMT https://community.splunk.com/t5/Splunk-Search/Get-top-5-field-values-by-percent-for-multiple-fields-in-a/m-p/58196#M14221 Ayn 2012-09-13T17:55:28Z https://community.splunk.com/t5/Splunk-Search/Get-top-5-field-values-by-percent-for-multiple-fields-in-a/m-p/58197#M14222 <P>Awesome. Perfect. This is a closed 100% completed answer. Thanks Ayn!</P> Thu, 13 Sep 2012 19:10:32 GMT https://community.splunk.com/t5/Splunk-Search/Get-top-5-field-values-by-percent-for-multiple-fields-in-a/m-p/58197#M14222 jluste 2012-09-13T19:10:32Z