https://community.splunk.com/t5/Splunk-Search/Using-eval-to-Add-Field-for-top-Result/m-p/618092#M214820 <P>Is this what you're after?</P><P>&nbsp;</P><LI-CODE lang="markup">source="tutorialdata.zip*" | eval X_{action}=action | stats count as total count(X_*) as X_* by itemId | sort - total | head 5 | rename X_* as * | fields - total</LI-CODE><P>&nbsp;</P><P>That will give you 5 rows of the most frequent itemId and then each column is a count of actions</P><P>Note the X_ prefix to the new field created is to allow the use of wildcards in the stats command to only collect the fields you're interested in.</P><P>You could also replace the eval/stats with&nbsp;</P><LI-CODE lang="markup">| eval X_{action}=1 | stats count as total sum(X_*) as X_* by itemId</LI-CODE><P>which may be slightly more efficient</P> Mon, 24 Oct 2022 00:41:27 GMT bowesmana 2022-10-24T00:41:27Z https://community.splunk.com/t5/Splunk-Search/Using-eval-to-Add-Field-for-top-Result/m-p/618091#M214819 <P>I need to create a new field to assign to the <STRONG>top</STRONG> results of a command using <STRONG>eval</STRONG>.&nbsp;</P> <P>Obviously this syntax doesn't work, so I'm looking for the correct query:</P> <P><FONT face="courier new,courier">source="tutorialdata.zip*" | eval popular = top limit=5 itemId | stats count(action) by popular, action</FONT></P> <P>Basically I only need the <STRONG>action</STRONG>&nbsp;stats of the top 5 itemId results of the following:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screen Shot 2022-10-23 at 7.43.46 PM.png" style="width: 889px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/22123i687346FB7B58FAB6/image-size/large?v=v2&amp;px=999" role="button" title="Screen Shot 2022-10-23 at 7.43.46 PM.png" alt="Screen Shot 2022-10-23 at 7.43.46 PM.png" /></span></P> <P>&nbsp;</P> <P>Sorry for the n00b question; I am just getting started with Splunk. Thanks for your time!</P> Mon, 24 Oct 2022 13:21:52 GMT https://community.splunk.com/t5/Splunk-Search/Using-eval-to-Add-Field-for-top-Result/m-p/618091#M214819 splunkyphil 2022-10-24T13:21:52Z https://community.splunk.com/t5/Splunk-Search/Using-eval-to-Add-Field-for-top-Result/m-p/618092#M214820 <P>Is this what you're after?</P><P>&nbsp;</P><LI-CODE lang="markup">source="tutorialdata.zip*" | eval X_{action}=action | stats count as total count(X_*) as X_* by itemId | sort - total | head 5 | rename X_* as * | fields - total</LI-CODE><P>&nbsp;</P><P>That will give you 5 rows of the most frequent itemId and then each column is a count of actions</P><P>Note the X_ prefix to the new field created is to allow the use of wildcards in the stats command to only collect the fields you're interested in.</P><P>You could also replace the eval/stats with&nbsp;</P><LI-CODE lang="markup">| eval X_{action}=1 | stats count as total sum(X_*) as X_* by itemId</LI-CODE><P>which may be slightly more efficient</P> Mon, 24 Oct 2022 00:41:27 GMT https://community.splunk.com/t5/Splunk-Search/Using-eval-to-Add-Field-for-top-Result/m-p/618092#M214820 bowesmana 2022-10-24T00:41:27Z https://community.splunk.com/t5/Splunk-Search/Using-eval-to-Add-Field-for-top-Result/m-p/618097#M214823 <P>This works; thank you kindly!</P> Mon, 24 Oct 2022 04:05:01 GMT https://community.splunk.com/t5/Splunk-Search/Using-eval-to-Add-Field-for-top-Result/m-p/618097#M214823 splunkyphil 2022-10-24T04:05:01Z