https://community.splunk.com/t5/Splunk-Search/How-to-return-the-5-most-repeat-count-values-per-environment/m-p/303652#M91339 <P>This should do what you're looking for:</P> <PRE><CODE>sourcetype=amc environment=* | stats count AS repeat_count BY environment nodename | sort 0 - environment repeat_count | streamstats count AS top_count BY environment | where top_count&lt;=5 | fields environment nodename repeat_count </CODE></PRE> <P>After generating the <CODE>repeat_count</CODE> value, it sorts all the values within each <CODE>environment</CODE> category by <CODE>repeat_count</CODE>. It then uses streamstats to generate a <CODE>top_count</CODE> value within each environment category. It filters out events with a <CODE>top_count</CODE> value greater than 5 (preserving only the top 5), and then organizes the fields as you displayed them.</P> Wed, 04 Apr 2018 17:30:58 GMT elliotproebstel 2018-04-04T17:30:58Z https://community.splunk.com/t5/Splunk-Search/How-to-return-the-5-most-repeat-count-values-per-environment/m-p/303651#M91338 <P>Hi Team,</P> <P><EM>need your help</EM> </P> <PRE><CODE>sourcetype=amc| search environment=* |top 5 showperc=f countfield="repeat_count" environment nodename environment nodename repeat_count DR Hostname1 636 Prod Hostname2 117 Prod Hostname3 108 Prod Hostname4 102 Prod Hostname5 87 </CODE></PRE> <P><STRONG>who to get top 5 repeat_count host per environment [example show below]</STRONG> </P> <PRE><CODE>environment nodename repeat_count DR Hostname1 636 DR Hostname12 637 DR Hostname13 638 DR Hostname14 639 DR Hostname15 640 Prod Hostname21 117 Prod Hostname22 108 Prod Hostname23 102 Prod Hostname24 87 Prod Hostname25 86 </CODE></PRE> Wed, 04 Apr 2018 17:15:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-return-the-5-most-repeat-count-values-per-environment/m-p/303651#M91338 harsush 2018-04-04T17:15:07Z https://community.splunk.com/t5/Splunk-Search/How-to-return-the-5-most-repeat-count-values-per-environment/m-p/303652#M91339 <P>This should do what you're looking for:</P> <PRE><CODE>sourcetype=amc environment=* | stats count AS repeat_count BY environment nodename | sort 0 - environment repeat_count | streamstats count AS top_count BY environment | where top_count&lt;=5 | fields environment nodename repeat_count </CODE></PRE> <P>After generating the <CODE>repeat_count</CODE> value, it sorts all the values within each <CODE>environment</CODE> category by <CODE>repeat_count</CODE>. It then uses streamstats to generate a <CODE>top_count</CODE> value within each environment category. It filters out events with a <CODE>top_count</CODE> value greater than 5 (preserving only the top 5), and then organizes the fields as you displayed them.</P> Wed, 04 Apr 2018 17:30:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-return-the-5-most-repeat-count-values-per-environment/m-p/303652#M91339 elliotproebstel 2018-04-04T17:30:58Z https://community.splunk.com/t5/Splunk-Search/How-to-return-the-5-most-repeat-count-values-per-environment/m-p/303653#M91340 <P>repeat_count is a field which has count of number of alerts</P> Wed, 04 Apr 2018 17:36:50 GMT https://community.splunk.com/t5/Splunk-Search/How-to-return-the-5-most-repeat-count-values-per-environment/m-p/303653#M91340 harsush 2018-04-04T17:36:50Z