https://community.splunk.com/t5/Splunk-Search/How-to-get-top-values/m-p/157161#M44218 <P>Hi, i have a report where i show top 50 404s by uri as shown below. Now i want to get the top referer for each URI in the same report. is it possible? </P> <P>URI COUNT %<BR /><BR /> XXX 50 50%<BR /> YYY 25 25% <BR /> ZZZ 25 25%</P> <P>output should have<BR /> URI COUNT % Referer Referercount REferer%<BR /> XXX 50 50%<BR /> YYY 25 25% <BR /> ZZZ 25 25%</P> Wed, 19 Feb 2014 14:28:59 GMT xvxt006 2014-02-19T14:28:59Z https://community.splunk.com/t5/Splunk-Search/How-to-get-top-values/m-p/157161#M44218 <P>Hi, i have a report where i show top 50 404s by uri as shown below. Now i want to get the top referer for each URI in the same report. is it possible? </P> <P>URI COUNT %<BR /><BR /> XXX 50 50%<BR /> YYY 25 25% <BR /> ZZZ 25 25%</P> <P>output should have<BR /> URI COUNT % Referer Referercount REferer%<BR /> XXX 50 50%<BR /> YYY 25 25% <BR /> ZZZ 25 25%</P> Wed, 19 Feb 2014 14:28:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-top-values/m-p/157161#M44218 xvxt006 2014-02-19T14:28:59Z https://community.splunk.com/t5/Splunk-Search/How-to-get-top-values/m-p/157162#M44219 <P>You can try:</P> <P><CODE>|top limit=50 uri |append [yoursearch |top top limit=50 referer by uri]</CODE></P> <P>I've not tried this, but in theory it should work.</P> Wed, 19 Feb 2014 14:38:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-top-values/m-p/157162#M44219 lukejadamec 2014-02-19T14:38:42Z https://community.splunk.com/t5/Splunk-Search/How-to-get-top-values/m-p/157163#M44220 <P>that will give me top referers but i want to get top uris for 404s and then for those uris i need top referers</P> Wed, 19 Feb 2014 14:43:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-top-values/m-p/157163#M44220 xvxt006 2014-02-19T14:43:44Z https://community.splunk.com/t5/Splunk-Search/How-to-get-top-values/m-p/157164#M44221 <P>Right, you want to maintain the numbers for both. I updated the answer.</P> Wed, 19 Feb 2014 14:53:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-top-values/m-p/157164#M44221 lukejadamec 2014-02-19T14:53:59Z https://community.splunk.com/t5/Splunk-Search/How-to-get-top-values/m-p/157165#M44222 <PRE><CODE>yoursearch | top uri | join uri [search yoursearch | top uri referrer | eval referer_count=count | eval referer_percent=percent] | table uri count percent referrer referer_count referer_percent </CODE></PRE> Wed, 19 Feb 2014 15:04:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-top-values/m-p/157165#M44222 thslopes 2014-02-19T15:04:34Z https://community.splunk.com/t5/Splunk-Search/How-to-get-top-values/m-p/157166#M44223 <P>Here's an approach to keep things within one search:</P> <PRE><CODE>your search yielding 404 events | stats c by uri referer | eventstats max(c) as max sum(c) as count by uri | where max==c | fields - max c </CODE></PRE> <P>You may want to sort, calculate percentages, and cut after the first n results afterwards to look similar to top.<BR /> Note: This does not handle cases where the top referers for one uri have equal counts. If that's important for you you can insert a <CODE>... | streamstats count as number by uri referer | where number==1 | fields - number</CODE> at the end.</P> Wed, 19 Feb 2014 15:37:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-top-values/m-p/157166#M44223 martin_mueller 2014-02-19T15:37:36Z https://community.splunk.com/t5/Splunk-Search/How-to-get-top-values/m-p/157167#M44224 <P>Thank you all for your inputs</P> Wed, 19 Feb 2014 20:01:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-top-values/m-p/157167#M44224 xvxt006 2014-02-19T20:01:08Z