https://community.splunk.com/t5/Splunk-Search/top-n-by-servicename/m-p/106322#M27644 <P>I have a splunk instance with many serviceName's in the logs. Is there a query where I can extract the top 15 of each serviceName? My service names include data such as snmp, syslog, etc. I want the top 15 of each type</P> <P>Thanks.</P> Fri, 20 May 2011 15:42:56 GMT DTERM 2011-05-20T15:42:56Z https://community.splunk.com/t5/Splunk-Search/top-n-by-servicename/m-p/106322#M27644 <P>I have a splunk instance with many serviceName's in the logs. Is there a query where I can extract the top 15 of each serviceName? My service names include data such as snmp, syslog, etc. I want the top 15 of each type</P> <P>Thanks.</P> Fri, 20 May 2011 15:42:56 GMT https://community.splunk.com/t5/Splunk-Search/top-n-by-servicename/m-p/106322#M27644 DTERM 2011-05-20T15:42:56Z https://community.splunk.com/t5/Splunk-Search/top-n-by-servicename/m-p/106323#M27645 <P>Splunk's dedup command is right for the job:</P> <PRE><CODE>&lt;your search&gt; | dedup 15 serviceName </CODE></PRE> Fri, 20 May 2011 16:12:33 GMT https://community.splunk.com/t5/Splunk-Search/top-n-by-servicename/m-p/106323#M27645 hazekamp 2011-05-20T16:12:33Z https://community.splunk.com/t5/Splunk-Search/top-n-by-servicename/m-p/106324#M27646 <P>I am not sure that I understand the results that you want. If you want to see the 15 most common serviceNames, try this</P> <PRE><CODE>&lt;your search&gt; | top limit=15 serviceName </CODE></PRE> <P>This will show the most common 15 serviceNames, along with the number of events for each serviceName. The results are displayed in a table. If you click on a row of the table, you will see the underlying events for the corresponding serviceName.</P> Sat, 21 May 2011 01:35:36 GMT https://community.splunk.com/t5/Splunk-Search/top-n-by-servicename/m-p/106324#M27646 lguinn2 2011-05-21T01:35:36Z