topic Re: Top to a sum by a field in Splunk Search

Top to a sum by a field

cmerriman — Mon, 28 Sep 2020 15:11:57 GMT

I am trying to get top 10 channels (chanName) by brand (BRAND) based on the duration (durationPerRoom). I have durationPerRoom sorted descending, and if I could head 10 by brand, that would be great. I have tried to do a top function, but it just counts the channels, or counts the durations, etc. Any ideas?

| stats sum(OF_ROOMS__C) as numberOfRooms,sum(sumDuration) as sumDuration by chanName BRAND|eval durationPerRoom=sumDuration/numberOfRooms| sort by durationPerRoom desc

Re: Top to a sum by a field

somesoni2 — Mon, 04 Nov 2013 21:07:46 GMT

Try adding following to your already existing search

|eval CountF=1|streamstats sum(CountF) as CountF by BRAND | | where CountF <11

Re: Top to a sum by a field

cmerriman — Tue, 05 Nov 2013 16:14:58 GMT

That worked PERFECTLY! Thank you!!!

Re: Top to a sum by a field

somesoni2 — Tue, 05 Nov 2013 16:41:06 GMT

Added my comment as answer, so that you can close the question.

Re: Top to a sum by a field

somesoni2 — Tue, 05 Nov 2013 16:41:26 GMT

Try adding following to your already existing search

|eval CountF=1|streamstats sum(CountF) as CountF by BRAND | where CountF <11