https://community.splunk.com/t5/Splunk-Search/search-string-query/m-p/357727#M165923 <P>Hi francly,<BR /> I'm not sure to have understood you request: do you want to create a new query or use the same to have a subdivision of RULES by NAMEs?</P> <P>If the first you already have the solution.</P> <P>If the second you can use </P> <PRE><CODE>index=data sourcetype="data1" host=HOSTA Name=SRV1 | stats count by NAME RULE | sort -count </CODE></PRE> <P>and take the first 3.</P> <P>Remeber that if you want a stats by one field (e.g. stats count by NAME) it's easier to use top command.</P> <P>Bye.<BR /> Giuseppe</P> Tue, 26 Sep 2017 09:31:43 GMT gcusello 2017-09-26T09:31:43Z https://community.splunk.com/t5/Splunk-Search/search-string-query/m-p/357726#M165922 <P>Hi I can use the search string to get the statistics output </P> <P>index=data sourcetype="data1" host=HOSTA | stats count by NAME | sort -count | head 3</P> <P>Name Count<BR /> SRV1 800<BR /> SRV2 600<BR /> SRV6 700</P> <P>Question is how I continue use string to query each of the output "Name" to display a new field "RULE" under "Name"</P> <P>Example</P> <P>index=data sourcetype="data1" host=HOSTA Name=SRV1 | stats count by RULE | sort -count </P> Tue, 26 Sep 2017 02:37:11 GMT https://community.splunk.com/t5/Splunk-Search/search-string-query/m-p/357726#M165922 francly 2017-09-26T02:37:11Z https://community.splunk.com/t5/Splunk-Search/search-string-query/m-p/357727#M165923 <P>Hi francly,<BR /> I'm not sure to have understood you request: do you want to create a new query or use the same to have a subdivision of RULES by NAMEs?</P> <P>If the first you already have the solution.</P> <P>If the second you can use </P> <PRE><CODE>index=data sourcetype="data1" host=HOSTA Name=SRV1 | stats count by NAME RULE | sort -count </CODE></PRE> <P>and take the first 3.</P> <P>Remeber that if you want a stats by one field (e.g. stats count by NAME) it's easier to use top command.</P> <P>Bye.<BR /> Giuseppe</P> Tue, 26 Sep 2017 09:31:43 GMT https://community.splunk.com/t5/Splunk-Search/search-string-query/m-p/357727#M165923 gcusello 2017-09-26T09:31:43Z https://community.splunk.com/t5/Splunk-Search/search-string-query/m-p/357728#M165924 <P>Hi Giuseppe, </P> <P>I want to know based on my output </P> <P>index=data sourcetype="data1" host=HOSTA | stats count by NAME | sort -count | head 3</P> <P>Name Count<BR /> SRV1 800<BR /> SRV2 600<BR /> SRV6 700</P> <P>it's any string of script will automatically take "Name" from the output in this 3 name or potentially more name to get the top "Rule" </P> Tue, 26 Sep 2017 09:50:43 GMT https://community.splunk.com/t5/Splunk-Search/search-string-query/m-p/357728#M165924 francly 2017-09-26T09:50:43Z https://community.splunk.com/t5/Splunk-Search/search-string-query/m-p/357729#M165925 <P>Hi francly,<BR /> you can add values(RULE) AS RULE to have a list of all rules for each host, is it what you like?<BR /> something like this</P> <PRE><CODE>index=data sourcetype="data1" host=HOSTA | stats values(RULE) AS RULE count by NAME | sort -count | head 3 </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Tue, 26 Sep 2017 11:23:17 GMT https://community.splunk.com/t5/Splunk-Search/search-string-query/m-p/357729#M165925 gcusello 2017-09-26T11:23:17Z https://community.splunk.com/t5/Splunk-Search/search-string-query/m-p/357730#M165926 <P>Hi Giuseppe, it's possible to break down the count for all the rule? right now I'm only getting 1 rule per Name</P> <P>Name Total Count<BR /> SRV1 800<BR /> Rule1 500<BR /> Rule2 200<BR /> Rule3 100</P> <P>SRV2 600<BR /> SRV6 700</P> Wed, 27 Sep 2017 03:34:05 GMT https://community.splunk.com/t5/Splunk-Search/search-string-query/m-p/357730#M165926 francly 2017-09-27T03:34:05Z https://community.splunk.com/t5/Splunk-Search/search-string-query/m-p/357731#M165927 <P>Hi francly,<BR /> try this</P> <PRE><CODE>index=data sourcetype="data1" host=HOSTA | stats count by NAME, RULE | search [ search index=data sourcetype="data1" host=HOSTA | stats count by NAME | head 3 | fields NAME ] | eventstats sum(count) as rank by NAME | appendpipe [ stats values(rank) AS rank sum(count) AS Total by NAME ] | sort 0 -rank NAME -Total -count | fields - rank | eval NAME=if(Total&gt;0,NAME,"") </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Wed, 27 Sep 2017 11:02:20 GMT https://community.splunk.com/t5/Splunk-Search/search-string-query/m-p/357731#M165927 gcusello 2017-09-27T11:02:20Z https://community.splunk.com/t5/Splunk-Search/search-string-query/m-p/357732#M165928 <P>Hi Giuseppe,</P> <P>I getting this not relevant output</P> <P><IMG src="https://lh3.googleusercontent.com/8maKmwAIlQhgQYmhQ6_sxX2P9N9OBfDXl03AupVS1PJVXKOxR2xjl58TfvukXR4qCyHJxeSoZEBbpujsCydgK8D82WU=s480" alt="alt text" /></P> Thu, 28 Sep 2017 03:32:30 GMT https://community.splunk.com/t5/Splunk-Search/search-string-query/m-p/357732#M165928 francly 2017-09-28T03:32:30Z https://community.splunk.com/t5/Splunk-Search/search-string-query/m-p/357733#M165929 <P>You can try something like this...</P> <PRE><CODE>index=data sourcetype="data1" host=HOSTA Name=SRV1 | stats count by NAME RULE | rename COMMENT as "Chew all the records up again to get the top 3 names" | appendpipe [| stats sum(count) as totcount by NAME | sort 3 - totcount] | rename COMMENT as "Roll the top 3 totcount onto all records with that NAME, then drop all records without totcount" | eventstats values(totcount) as totcount by NAME | where isnotnull(totcount) </CODE></PRE> Thu, 28 Sep 2017 05:48:16 GMT https://community.splunk.com/t5/Splunk-Search/search-string-query/m-p/357733#M165929 DalJeanis 2017-09-28T05:48:16Z https://community.splunk.com/t5/Splunk-Search/search-string-query/m-p/357734#M165930 <P>Sorry I cannot see your output.<BR /> Bye.<BR /> Giuseppe</P> Thu, 28 Sep 2017 07:44:41 GMT https://community.splunk.com/t5/Splunk-Search/search-string-query/m-p/357734#M165930 gcusello 2017-09-28T07:44:41Z