https://community.splunk.com/t5/Splunk-Search/How-to-fetch-top-5-rows-based-on-a-value-in-table/m-p/490436#M194141 <P>but that does not valdiate the total count..only of the count is above 200 i need head -5</P> Thu, 23 Jan 2020 18:16:13 GMT ashanka 2020-01-23T18:16:13Z https://community.splunk.com/t5/Splunk-Search/How-to-fetch-top-5-rows-based-on-a-value-in-table/m-p/490433#M194138 <P>index= aab sourcetype=topconnections earliest=-10m latest=-5m<BR /> | table SESSION_AUTH_ID , CONNECTION_COUNT<BR /> | addcoltotals labelfield=SESSION_AUTH_ID label=TotalCount</P> <P>SESSION_AUTH_ID CONNECTION_COUNT<BR /> a 178<BR /> b 65<BR /> v 36<BR /> d 21<BR /> e 12<BR /> f 12<BR /> g 10<BR /> h 8<BR /> h 5<BR /> f 4<BR /> f 4<BR /> l 3<BR /> o 2<BR /> z 2<BR /> TotalCount 201</P> <P>how do i get the top 5 rows from table when the total count is greater than 200.</P> <P>when the total count reached 200 i need to get the top 5 SESSION_AUTH_ID and its CONNECTION_COUNT</P> Wed, 30 Sep 2020 03:47:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-fetch-top-5-rows-based-on-a-value-in-table/m-p/490433#M194138 ashanka 2020-09-30T03:47:44Z https://community.splunk.com/t5/Splunk-Search/How-to-fetch-top-5-rows-based-on-a-value-in-table/m-p/490434#M194139 <P>See if this works . Add the following to the end or your search query.</P> <P>| head 5</P> Wed, 22 Jan 2020 22:41:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-fetch-top-5-rows-based-on-a-value-in-table/m-p/490434#M194139 dol_splunk_user 2020-01-22T22:41:39Z https://community.splunk.com/t5/Splunk-Search/How-to-fetch-top-5-rows-based-on-a-value-in-table/m-p/490435#M194140 <P>Try this. Hope this is what you are looking for</P> <P>index= aab sourcetype=topconnections earliest=-10m latest=-5m<BR /> | table SESSION_AUTH_ID , CONNECTION_COUNT<BR /> |eventstats sum(CONNECTION_COUNT) as TotalCount<BR /> | where TotalCount&gt; 200 <BR /> | sort - CONNECTION_COUNT<BR /> | head 5</P> Wed, 30 Sep 2020 03:47:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-fetch-top-5-rows-based-on-a-value-in-table/m-p/490435#M194140 cvsvineeth 2020-09-30T03:47:47Z https://community.splunk.com/t5/Splunk-Search/How-to-fetch-top-5-rows-based-on-a-value-in-table/m-p/490436#M194141 <P>but that does not valdiate the total count..only of the count is above 200 i need head -5</P> Thu, 23 Jan 2020 18:16:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-fetch-top-5-rows-based-on-a-value-in-table/m-p/490436#M194141 ashanka 2020-01-23T18:16:13Z https://community.splunk.com/t5/Splunk-Search/How-to-fetch-top-5-rows-based-on-a-value-in-table/m-p/490437#M194142 <P>your sample check:</P> <PRE><CODE>| makeresults | eval _raw="SESSION_AUTH_ID,CONNECTION_COUNT a,178 b,65 v,36 d,21 e,12 f,12 g,10 h,8 h,5 f,4 f,4 l,3 o,2 z,2" | multikv forceheader=1 | table SESSION_AUTH_ID,CONNECTION_COUNT | eventstats sum(CONNECTION_COUNT) as total | stats list(*) as * by total | eval tmp=mvzip(SESSION_AUTH_ID,CONNECTION_COUNT) | eval result =if( total &gt; 200, mvindex(tmp,0,4),"the total count is smaller than 200") | table total result </CODE></PRE> <P>recommend:</P> <PRE><CODE>index= aab sourcetype=topconnections earliest=-10m latest=-5m | table SESSION_AUTH_ID , CONNECTION_COUNT | eventstats sum(CONNECTION_COUNT) as total | stats list(*) as * by total | eval tmp=mvzip(SESSION_AUTH_ID,CONNECTION_COUNT) | eval result =if( total &gt; 200, mvindex(tmp,0,4),"the total count is smaller than 200") | table total result | rex field=result "(?&lt;SESSION_AUTH_ID&gt;[^\,]+),(?&lt;CONNECTION_COUNT&gt;.+)" | table total result SESSION_AUTH_ID CONNECTION_COUNT </CODE></PRE> <P>Hi folks. how about this?</P> Thu, 23 Jan 2020 18:46:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-fetch-top-5-rows-based-on-a-value-in-table/m-p/490437#M194142 to4kawa 2020-01-23T18:46:44Z