topic How do you list top items for each group? in Splunk Search

How do you list top items for each group?

peterlandis — Tue, 05 Dec 2017 16:29:40 GMT

I want to list the top 3 elements for each group. How would you do this?

Examples
Name score
Jon 100
Jon 54
Jon 90
Jon 72
Jon 87
Jane 89
Jane 99
Jane 66
Jane 56
Jane 100

Show the top 3 scores for each person?

Name score
Jon 100
Jon 90
Jon 87
Jane 100
Jane 99
Jane 89

Re: How do you list top items for each group?

cmerriman — Tue, 05 Dec 2017 16:40:56 GMT

something like this should work ...|sort 0 Name - score|streamstats count by Name|search count<4|fields - count

Re: How do you list top items for each group?

woodcock — Tue, 05 Dec 2017 16:43:17 GMT

Like this:

... | sort 0 Name -score | dedup 3 Name

Re: How do you list top items for each group?

peterlandis — Tue, 05 Dec 2017 17:11:39 GMT

Thanks! That worked and that was a really fast response. Very impressed with this community. Thanks splunkers!

Re: How do you list top items for each group?

peterlandis — Tue, 05 Dec 2017 17:11:39 GMT

Thanks! That worked and that was a really fast response. Very impressed with this community. Thanks splunkers!

Re: How do you list top items for each group?

peterlandis — Tue, 05 Dec 2017 17:13:55 GMT

Thanks! This worked perfectly. Appreciate the quick response.

Re: How do you list top items for each group?

peterlandis — Tue, 05 Dec 2017 17:15:13 GMT

Just curious why sort 0. What does 0 do?

Re: How do you list top items for each group?

cmerriman — Tue, 05 Dec 2017 17:17:23 GMT

0 essentially means there is no limit to how many events will be sorted. otherwise there is a default limit of 10000

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sort

Re: How do you list top items for each group?

lfedak_splunk — Tue, 05 Dec 2017 17:17:27 GMT

Hey @peterlandis, Welcome to the Answers community! @cmerriman and @woodcock are awesome and super helpful. You can accept one of the answers and upvote the second if both worked for you. (You can actually upvote both as well.) This helps others use the answer in the future and awards everyone karma points. 🙂

Re: How do you list top items for each group?

woodcock — Tue, 05 Dec 2017 17:19:15 GMT

It makes it unlimited, otherwise it limits to 10K. Be sure to click Accept to close the question.

Re: How do you list top items for each group?

arusoft — Tue, 30 Nov 2021 16:54:04 GMT

@woodcock I know this is an old thread, but I had similar requirement. Is it possible that this can be done without doing dedup ?

Is dedup not costly?

Thank You.

Re: How do you list top items for each group?

PickleRick — Tue, 30 Nov 2021 20:12:03 GMT

Sure you can. You already had the answer here.

https://community.splunk.com/t5/Splunk-Search/How-do-you-list-top-items-for-each-group/m-p/328349/highlight/true#M97747