Archive

Top N results in table

ponsakthi
Engager

The intermediate result of a query is

Machine | ErrorType |ErrorCount
A | ErrorA | 4
A | ErrorB | 3
B | ErrorC | 6
B | ErrorD | 3
C | ErrorE | 3
C | ErrorF | 9

I want to show the top 1 result(in terms of Error count) per machine. The result should be like

Machine | ErrorType |ErrorCount
A | ErrorA | 4
A | ErrorC | 6
B | ErrorF | 9

I tried using "top 1 ErrorCount by Machine" but it is trimming other useful fields like ErrorType.
How do I achieve this?

Tags (1)
0 Karma

somesoni2
Revered Legend

Give this a try

your current search giving Machine, ErrorType ,ErrorCount | sort 0 Machine,-num(ErrorCount) | dedup Machine
0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!