Solved: How can I select the maximum X values in a field b...

paulkrier · ‎07-24-2018

I have a data set that looks like this:

I would like to select the maximum 3 values in Y for each value of X:

I'm looking at sort and top, sort allows me to sort on each field, but the count argument seems to only work on the total number of results returned. Top is looking for the most common values, not the maximum values. Am I missing something?

Thanks,

pk

thambisetty · ‎07-24-2018

...| sort X, - Y | dedup 3 X

————————————
If this helps, give a like below.

View solution in original post

woodcock · ‎07-24-2018

Like this:

| makeresults 
| eval raw="1:5 1:4 1:3 1:2 1:1 2:10 2:9 2:8 2:4"
| makemv raw
| mvexpand raw
| rename raw AS _raw
| rex "^(?<X>[^:]+):(?<Y>[^:]+)$"
| table X Y

| rename COMMENT "Everything above generates sample event data; everything below is your solution"

| stats values(Y) AS Y BY X
| eval Y=mvindex(Y, -3, mvcount(Y))

somesoni2 · ‎07-24-2018

Just add sort 3 -Y by X to the end of your current search.

paulkrier · ‎07-24-2018

I don't think the sort command supports the by keyword. At least not in 6.5.4 which is what I am on.

thambisetty · ‎07-24-2018

sort by is not working, I had tried this actually.

————————————
If this helps, give a like below.

woodcock · ‎07-24-2018

Like this:

| makeresults 
| eval raw="1:5 1:4 1:3 1:2 1:1 2:10 2:9 2:8 2:4"
| makemv raw
| mvexpand raw
| rename raw AS _raw
| rex "^(?<X>[^:]+):(?<Y>[^:]+)$"
| table X Y

| rename COMMENT "Everything above generates sample event data; everything below is your solution"

| top 3 Y BY X

paulkrier · ‎07-24-2018

top returns the most common values not the max values. If you add additional 2:4 to the test data then 2:4 replaces 2:8 in the results. Thanks though. The code to create the test table is really useful.

thambisetty · ‎07-24-2018

yes you are right.

————————————
If this helps, give a like below.

thambisetty · ‎07-24-2018

...| sort X, - Y | dedup 3 X

————————————
If this helps, give a like below.

paulkrier · ‎07-24-2018

Brilliant! I didn't know dedup took the number of dups to keep. Thanks.

pradeepkumarg · ‎07-24-2018

 ...| sort X Y | dedup 3 X

How can I select the maximum X values in a field based on another field?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation

How can I select the maximum X values in a field based on another field?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026