topic Re: How to get only first 3 events as a result for each event/Field? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-get-only-first-3-events-as-a-result-for-each-event-Field/m-p/175159#M50266 <P>I think the streamstats command is what you may need to use to rank the events - take a look at <A href="http://answers.splunk.com/answers/24011/rank-data-from-web-access-files.html">this answer</A>, I believe it should point you in the right direction</P> <P>Dave</P> Tue, 28 Oct 2014 10:40:46 GMT davebrooking 2014-10-28T10:40:46Z How to get only first 3 events as a result for each event/Field? https://community.splunk.com/t5/Splunk-Search/How-to-get-only-first-3-events-as-a-result-for-each-event-Field/m-p/175156#M50263 <P>I am attempting to get first 3 events for each user field for which user count&gt;3. </P> <P>Basically what I am looking for is</P> <P>1)Get stats count for user field out of all data</P> <P>2)Identify events for which user count&gt;3</P> <P>3)Get only top 3 users out of all data for - user count&gt;3</P> <P>4)and final result which display only first 3 events for each user </P> <P>for below query I am getting user count and top 3 users with max count. </P> <P>index=windows | stats count by user | sort - count | head 3 |where count&gt;3</P> <P>result:</P> <P>User count</P> <P>User1 8<BR /> user2 4<BR /> user3 6</P> <P>I want final result as 9 events----&gt;containing first 3 events for each user.</P> <P>Could you please advice?</P> Tue, 28 Oct 2014 02:04:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-only-first-3-events-as-a-result-for-each-event-Field/m-p/175156#M50263 thezero 2014-10-28T02:04:27Z Re: How to get only first 3 events as a result for each event/Field? https://community.splunk.com/t5/Splunk-Search/How-to-get-only-first-3-events-as-a-result-for-each-event-Field/m-p/175157#M50264 <P>try this </P> <P><CODE>index=windows | stats count by user | where count&gt;3 | top 3</CODE></P> <P>otherwise try expanding your question a bit - its a little hard to follow...</P> Tue, 28 Oct 2014 02:31:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-only-first-3-events-as-a-result-for-each-event-Field/m-p/175157#M50264 0YAoNnmRmKDg 2014-10-28T02:31:10Z Re: How to get only first 3 events as a result for each event/Field? https://community.splunk.com/t5/Splunk-Search/How-to-get-only-first-3-events-as-a-result-for-each-event-Field/m-p/175158#M50265 <PRE><CODE>index=windows | top limit=3 user | where count &gt; 3 </CODE></PRE> Tue, 28 Oct 2014 02:51:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-only-first-3-events-as-a-result-for-each-event-Field/m-p/175158#M50265 gkanapathy 2014-10-28T02:51:54Z Re: How to get only first 3 events as a result for each event/Field? https://community.splunk.com/t5/Splunk-Search/How-to-get-only-first-3-events-as-a-result-for-each-event-Field/m-p/175159#M50266 <P>I think the streamstats command is what you may need to use to rank the events - take a look at <A href="http://answers.splunk.com/answers/24011/rank-data-from-web-access-files.html">this answer</A>, I believe it should point you in the right direction</P> <P>Dave</P> Tue, 28 Oct 2014 10:40:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-only-first-3-events-as-a-result-for-each-event-Field/m-p/175159#M50266 davebrooking 2014-10-28T10:40:46Z Re: How to get only first 3 events as a result for each event/Field? https://community.splunk.com/t5/Splunk-Search/How-to-get-only-first-3-events-as-a-result-for-each-event-Field/m-p/175160#M50267 <P>Does this get close to what you need? i just used 'eventtype' as an example.</P> <P>index=windows | stats count by user,eventtype | sort - user,eventtype | where count &gt; 3 | top limit=3 eventtype by user</P> Tue, 28 Oct 2014 14:27:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-only-first-3-events-as-a-result-for-each-event-Field/m-p/175160#M50267 Jeff_Lightly_Sp 2014-10-28T14:27:22Z Re: How to get only first 3 events as a result for each event/Field? https://community.splunk.com/t5/Splunk-Search/How-to-get-only-first-3-events-as-a-result-for-each-event-Field/m-p/175161#M50268 <P>Ah I see you've modified your question. Then perhaps:</P> <P>index=windows [ search index=windows | top limit=3 showperc=f user | where count &gt; 3 ] | eventstats count by user | dedup 3 user sortby - count</P> Tue, 28 Oct 2014 14:28:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-only-first-3-events-as-a-result-for-each-event-Field/m-p/175161#M50268 gkanapathy 2014-10-28T14:28:35Z Re: How to get only first 3 events as a result for each event/Field? https://community.splunk.com/t5/Splunk-Search/How-to-get-only-first-3-events-as-a-result-for-each-event-Field/m-p/175162#M50269 <P>H Gkanapathy,</P> <P>Thanks for the asnswer but its still showing only 3 results <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <P>Regards,<BR /> Rahul</P> Mon, 10 Nov 2014 08:24:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-only-first-3-events-as-a-result-for-each-event-Field/m-p/175162#M50269 thezero 2014-11-10T08:24:43Z Re: How to get only first 3 events as a result for each event/Field? https://community.splunk.com/t5/Splunk-Search/How-to-get-only-first-3-events-as-a-result-for-each-event-Field/m-p/175163#M50270 <P>try | head 3 after your search query</P> Mon, 10 Nov 2014 10:36:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-only-first-3-events-as-a-result-for-each-event-Field/m-p/175163#M50270 jitsinha 2014-11-10T10:36:48Z