topic Is it possible to get sum of Top 5 values per field? in Splunk Search

Is it possible to get sum of Top 5 values per field?

ISP8055 — Thu, 21 Apr 2022 14:25:21 GMT

Hi there,

So, I have table with Server Names and their load values

Server Load capacity G1 10 G1 80 G2 6 G2 25 G1 50 G3 15 G2 5 G4 20 G5 30 and so on...

Is there a way to get sum of top 3 fields by Server?

I can do that if I limit it to just one server by:

my search | search "Server"="G1" | sort- Load | head 3 | stats sum(Load)

But I want to know for all servers to see which one is getting highest loads on average.

Re: Is it possible to get sum of Top 5 values per field.

bowesmana — Wed, 20 Apr 2022 22:53:32 GMT

This example shows you how you can filter 3 events from each server, which follows your example search

Like your example, it is not sorting any Load value so will just return the first 3 load figures for each server

If you want to find the highest 3 load values per server then you need to add in the sort command before streamstats, i.e.

and then of course if you want to take time into account and find the most recent, highest load values, then you would need them in time descending order (default after search).

Hopefully this helps. You can just paste these examples into a search window. They create 1000 random data points for 5 servers and then random Load values for each.

Re: Is it possible to get sum of Top 5 values per field.

ITWhisperer — Thu, 21 Apr 2022 07:00:40 GMT

| sort Server -Load | streamstats count by Server | eval Load=if(count<=3,Load,null()) | stats sum(Load) as Load by Server

Re: Is it possible to get sum of Top 5 values per field.

ISP8055 — Fri, 22 Apr 2022 20:54:56 GMT

| eval Server="G".((random() % 5)+1) Will I need this syntax if my all of my actual server names don't start with G? What does this command do? | eval Load=random() % Could you explain what does this syntax do?

Re: Is it possible to get sum of Top 5 values per field.

bowesmana — Mon, 25 Apr 2022 23:52:38 GMT

This part of those searches

| makeresults count=1000 | fields - _time | eval Server="G".((random() % 5)+1) | eval Load=random() % 100

is just code to create 1000 random events with a field 'Server' that has one of 5 different values, in order to present a solution, as I do not have access to your data.

Re: Is it possible to get sum of Top 5 values per field?

kamlesh_vaghela — Tue, 26 Apr 2022 05:52:58 GMT

@ISP8055

Can you please try this?

YOUR_SEARCH | sort - Server Load | streamstats count by Server | where count<=3 | stats sum(Load) As Load by Server

My Sample Search :

I hope this will help you.

Thanks
KV

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

Re: Is it possible to get sum of Top 5 values per field?

ISP8055 — Tue, 26 Apr 2022 17:38:49 GMT

Sorry, I'm getting no results found using this syntax.