https://community.splunk.com/t5/Splunk-Search/How-to-return-a-group-by-value-with-the-highest-number-of-items/m-p/303443#M91298 <P>How do I modify the following query to return the name of the FRUIT with the highest count:</P> <PRE><CODE>index="myindex" URI="myuri" | stats count by FRUIT </CODE></PRE> <P>Thanks,<BR /> Jonathan</P> Wed, 21 Feb 2018 18:47:57 GMT jbrenner 2018-02-21T18:47:57Z https://community.splunk.com/t5/Splunk-Search/How-to-return-a-group-by-value-with-the-highest-number-of-items/m-p/303443#M91298 <P>How do I modify the following query to return the name of the FRUIT with the highest count:</P> <PRE><CODE>index="myindex" URI="myuri" | stats count by FRUIT </CODE></PRE> <P>Thanks,<BR /> Jonathan</P> Wed, 21 Feb 2018 18:47:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-return-a-group-by-value-with-the-highest-number-of-items/m-p/303443#M91298 jbrenner 2018-02-21T18:47:57Z https://community.splunk.com/t5/Splunk-Search/How-to-return-a-group-by-value-with-the-highest-number-of-items/m-p/303444#M91299 <P>Try this:</P> <PRE><CODE>index="myindex" URI="myuri" | stats count by FRUIT|stats max(count) as max </CODE></PRE> Wed, 21 Feb 2018 18:55:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-return-a-group-by-value-with-the-highest-number-of-items/m-p/303444#M91299 493669 2018-02-21T18:55:15Z https://community.splunk.com/t5/Splunk-Search/How-to-return-a-group-by-value-with-the-highest-number-of-items/m-p/303445#M91300 <P>That gives me the count, but I want to return the name of the fruit.</P> <P>Thanks,<BR /> Jonathan</P> Wed, 21 Feb 2018 19:00:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-return-a-group-by-value-with-the-highest-number-of-items/m-p/303445#M91300 jbrenner 2018-02-21T19:00:19Z https://community.splunk.com/t5/Splunk-Search/How-to-return-a-group-by-value-with-the-highest-number-of-items/m-p/303446#M91301 <P>ok then try this it will give max count with name of fruit:</P> <PRE><CODE>index="myindex" URI="myuri" | stats count by FRUIT|stats max(count) as max by FRUIT|head 1 </CODE></PRE> Wed, 21 Feb 2018 19:26:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-return-a-group-by-value-with-the-highest-number-of-items/m-p/303446#M91301 493669 2018-02-21T19:26:43Z https://community.splunk.com/t5/Splunk-Search/How-to-return-a-group-by-value-with-the-highest-number-of-items/m-p/303447#M91302 <P>You can do like this</P> <PRE><CODE>index="myindex" URI="myuri" | top 1 FRUIT </CODE></PRE> <P>This will give you name of top 1 FRUIT based on event count. You can adjust the number in top command to return more</P> Wed, 21 Feb 2018 19:33:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-return-a-group-by-value-with-the-highest-number-of-items/m-p/303447#M91302 somesoni2 2018-02-21T19:33:34Z https://community.splunk.com/t5/Splunk-Search/How-to-return-a-group-by-value-with-the-highest-number-of-items/m-p/303448#M91303 <P>Hi somesoni2,</P> <P>That is perfect, thanks!<BR /><BR /> Now how could I modify your query to return the fruit name concatenated to the count in a single string like so:</P> <PRE><CODE> apple:2013 </CODE></PRE> <P>Thanks,<BR /> Jonathan</P> Wed, 21 Feb 2018 19:45:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-return-a-group-by-value-with-the-highest-number-of-items/m-p/303448#M91303 jbrenner 2018-02-21T19:45:19Z https://community.splunk.com/t5/Splunk-Search/How-to-return-a-group-by-value-with-the-highest-number-of-items/m-p/303449#M91304 <P>A simple eval statement will do that</P> <PRE><CODE>above search | eval FRUIT=FRUIT.":".count </CODE></PRE> Wed, 21 Feb 2018 20:13:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-return-a-group-by-value-with-the-highest-number-of-items/m-p/303449#M91304 somesoni2 2018-02-21T20:13:52Z