https://community.splunk.com/t5/Splunk-Search/how-to-show-other-field-related-to-filtered-out-results-with/m-p/531916#M150257 <P>Hi there,&nbsp;</P><P>I am not sure if I am missing out the obvious but I would pretty much like to be able to run stats count of a certain field and get highest10 results of that field and then be able to see other data specifically related to that 10 results.&nbsp;<BR /><BR />To be more specific, I would like to see a list of fieldA by count and with highest value something similar to this<BR />i<STRONG>ndex=mysearch | stats count by fieldA | sort count - | head 10&nbsp;</STRONG><BR />but I would als like to be able to see fieldB values that are related to those ten results however if I run&nbsp;<BR /><STRONG>index=mysearch | stats count by fieldA,fieldB | sort count - | head 10</STRONG> then the results for the FieldA are not the same as in the previous query</P><P>Just to sum it up, I would like to see the fieldB values that are related to the head 10 results of fieldA but I am not interested in seeing the stats count of both fieldA and fieldB together.&nbsp;<BR /><BR />I really hope this makes sense.&nbsp;<BR /><BR />Thank you in advance for your help!</P> Thu, 03 Dec 2020 20:16:14 GMT loocayak 2020-12-03T20:16:14Z https://community.splunk.com/t5/Splunk-Search/how-to-show-other-field-related-to-filtered-out-results-with/m-p/531916#M150257 <P>Hi there,&nbsp;</P><P>I am not sure if I am missing out the obvious but I would pretty much like to be able to run stats count of a certain field and get highest10 results of that field and then be able to see other data specifically related to that 10 results.&nbsp;<BR /><BR />To be more specific, I would like to see a list of fieldA by count and with highest value something similar to this<BR />i<STRONG>ndex=mysearch | stats count by fieldA | sort count - | head 10&nbsp;</STRONG><BR />but I would als like to be able to see fieldB values that are related to those ten results however if I run&nbsp;<BR /><STRONG>index=mysearch | stats count by fieldA,fieldB | sort count - | head 10</STRONG> then the results for the FieldA are not the same as in the previous query</P><P>Just to sum it up, I would like to see the fieldB values that are related to the head 10 results of fieldA but I am not interested in seeing the stats count of both fieldA and fieldB together.&nbsp;<BR /><BR />I really hope this makes sense.&nbsp;<BR /><BR />Thank you in advance for your help!</P> Thu, 03 Dec 2020 20:16:14 GMT https://community.splunk.com/t5/Splunk-Search/how-to-show-other-field-related-to-filtered-out-results-with/m-p/531916#M150257 loocayak 2020-12-03T20:16:14Z https://community.splunk.com/t5/Splunk-Search/how-to-show-other-field-related-to-filtered-out-results-with/m-p/531926#M150261 <P>First, the counts from the two searches are different because the criteria are different.</P><LI-CODE lang="markup">stats count by fieldA,fieldB</LI-CODE><P>Does not mean "give me counts for fieldA and fieldB".&nbsp; It means "give me counts for all combinations of fieldA and fieldB".</P><P>Second, <FONT face="courier new,courier">stats</FONT> is a transforming command.&nbsp; That means it changes the results, specifically by dropping all fields not referenced in the command.&nbsp; That's why you don't see the other data related to the 10 results.&nbsp; Fix that by using either <FONT face="courier new,courier">eventstats</FONT> or <FONT face="courier new,courier">streamstats</FONT>.</P> Thu, 03 Dec 2020 21:41:47 GMT https://community.splunk.com/t5/Splunk-Search/how-to-show-other-field-related-to-filtered-out-results-with/m-p/531926#M150261 richgalloway 2020-12-03T21:41:47Z