https://community.splunk.com/t5/Splunk-Search/How-do-I-use-xyseries-get-the-count-and-the-values-for-each/m-p/588711#M205020 <P>Might be easier if you take a step back - how did you generate these values? There might be a way to limit it to the top 3 values before grouping them with values()</P> Fri, 11 Mar 2022 11:52:42 GMT ITWhisperer 2022-03-11T11:52:42Z https://community.splunk.com/t5/Splunk-Search/How-do-I-use-xyseries-get-the-count-and-the-values-for-each/m-p/588708#M205017 <P>Hi Team,&nbsp;</P> <P>I have the following result in place with 30min bucket using stats values() and then xyseries&nbsp;</P> <P>time&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; field1&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;field2&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; field3&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;field4</P> <TABLE width="510px"> <TBODY> <TR> <TD width="52.5078px" height="25px">05:30</TD> <TD width="132.125px" height="25px">4,10,11,12,30</TD> <TD width="112.922px" height="25px">1,13,14,9,8,7</TD> <TD width="84.125px" height="25px">5,7,3,8,9,1,55</TD> <TD width="141.727px" height="25px">23,24,17,18,19</TD> </TR> <TR> <TD width="52.5078px" height="25px">06:00</TD> <TD width="132.125px" height="25px">19,10,11,12,30</TD> <TD width="112.922px" height="25px">12,3,14,9,8,7</TD> <TD width="84.125px" height="25px">1,17,3,8,1,34</TD> <TD width="141.727px" height="25px">22,2,25,17,18,19</TD> </TR> <TR> <TD width="52.5078px" height="25px">06:30</TD> <TD width="132.125px" height="25px">20,10,11,12,55</TD> <TD width="112.922px" height="25px">11,13,14,9,18,7</TD> <TD width="84.125px" height="25px">10,7,3,8,9,1,4</TD> <TD width="141.727px" height="25px">23,24,26,1,18,49</TD> </TR> <TR> <TD width="52.5078px" height="25px">07:00</TD> <TD width="132.125px" height="25px">21,10,11,12,44</TD> <TD width="112.922px" height="25px">12,13,17,9,7</TD> <TD width="84.125px" height="25px">6,7,3,9,1,23</TD> <TD width="141.727px" height="25px">23,24,25,17,18,19</TD> </TR> <TR> <TD width="52.5078px" height="25px">07:30</TD> <TD width="132.125px" height="25px">31,10,11,12,50</TD> <TD width="112.922px" height="25px">1,13,14,9,8,7</TD> <TD width="84.125px" height="25px">5,7,3,8,9,11</TD> <TD width="141.727px" height="25px">23,24,25,17,18,19</TD> </TR> <TR> <TD width="52.5078px" height="25px">08:00</TD> <TD width="132.125px" height="25px">1,10,11,12,30,88</TD> <TD width="112.922px" height="25px">12,13,14,9,81</TD> <TD width="84.125px" height="25px">5,7,3,8,9,17</TD> <TD width="141.727px" height="25px">23,24,25,17,18,19</TD> </TR> <TR> <TD width="52.5078px" height="25px">08:30</TD> <TD width="132.125px" height="25px">1,10,11,12,30,99</TD> <TD width="112.922px" height="25px">12,13,14,9,81</TD> <TD width="84.125px" height="25px">5,7,3,8,9,18</TD> <TD width="141.727px" height="25px">23,24,25,17,18,19</TD> </TR> <TR> <TD width="52.5078px" height="25px">09:00</TD> <TD width="132.125px" height="25px">1,11,12,30,23</TD> <TD width="112.922px" height="25px">11,1,14,9,7</TD> <TD width="84.125px" height="25px">10,7,3,8,9,18</TD> <TD width="141.727px" height="25px">23,24,25,17,18,19</TD> </TR> <TR> <TD width="52.5078px" height="25px">09:30</TD> <TD width="132.125px" height="25px">1,10,11,12,300</TD> <TD width="112.922px" height="25px">12,13,4,9,8,7</TD> <TD width="84.125px" height="25px">4,7,3,8,9,1</TD> <TD width="141.727px" height="25px">23,24,25,17,18,19</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>Currently the result shows all the values for each field.<BR />What I am looking here is the top 3 values which has maximum count for each field, not sure how to pull that result.</P> <P>Request someone to guide.</P> Sat, 12 Mar 2022 05:14:59 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-use-xyseries-get-the-count-and-the-values-for-each/m-p/588708#M205017 bijodev1 2022-03-12T05:14:59Z https://community.splunk.com/t5/Splunk-Search/How-do-I-use-xyseries-get-the-count-and-the-values-for-each/m-p/588711#M205020 <P>Might be easier if you take a step back - how did you generate these values? There might be a way to limit it to the top 3 values before grouping them with values()</P> Fri, 11 Mar 2022 11:52:42 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-use-xyseries-get-the-count-and-the-values-for-each/m-p/588711#M205020 ITWhisperer 2022-03-11T11:52:42Z https://community.splunk.com/t5/Splunk-Search/How-do-I-use-xyseries-get-the-count-and-the-values-for-each/m-p/588716#M205022 <P>it was like this&nbsp;</P><P>mysearch |&nbsp;bucket _time span=10min<BR />| stats delim="," values(result) AS result count by _time xyz<BR />| nomv result<BR />| sort -count<BR />| dedup _time xyz<BR />| sort _time<BR />| xyseries _time xyz result<BR /><BR />Note : xyz contains these field1 , field2, field3, field4</P><P>also is it possible to append with the values - with its count. like for example :</P><P>time&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; field1&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;field2&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; field3&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;field4</P><TABLE width="510px"><TBODY><TR><TD width="52.5078px" height="25px">05:30</TD><TD width="149.18px" height="25px">4(100),10(40)</TD><TD width="103.32px" height="25px">1(100),13(40),14(30)</TD><TD width="106.43px" height="25px">5(80),7(60),3(50)</TD><TD width="119.422px" height="25px">23(100),24(80),17(50)</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>The one in brackets shows the count per each value.</P> Fri, 11 Mar 2022 12:27:36 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-use-xyseries-get-the-count-and-the-values-for-each/m-p/588716#M205022 bijodev1 2022-03-11T12:27:36Z https://community.splunk.com/t5/Splunk-Search/How-do-I-use-xyseries-get-the-count-and-the-values-for-each/m-p/588726#M205025 <P>Does something like this work for you?</P><LI-CODE lang="markup">mysearch | bin _time span=10min | stats count by _time xyz result | sort _time xyz -count | streamstats count as rank global=f by _time xyz | where rank &lt; 4 | eval result=result."(".count.")" | stats delim=", " values(result) AS result by _time xyz | nomv result | xyseries _time xyz result</LI-CODE> Fri, 11 Mar 2022 12:54:54 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-use-xyseries-get-the-count-and-the-values-for-each/m-p/588726#M205025 ITWhisperer 2022-03-11T12:54:54Z https://community.splunk.com/t5/Splunk-Search/How-do-I-use-xyseries-get-the-count-and-the-values-for-each/m-p/588738#M205027 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp; Thank you so much, it worked as expected.</P> Fri, 11 Mar 2022 14:47:09 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-use-xyseries-get-the-count-and-the-values-for-each/m-p/588738#M205027 bijodev1 2022-03-11T14:47:09Z