Splunk Search

How do I find the top 3 fields per dimension (for all dimensions) grouped by platform?

ausche
New Member

Let's say I have dimensions like country, content, subscriptionType, and I'd like to get the 3 most common fields grouped by platform say web, app, etc. How would I go about doing this?

An ideal output would be something like this

-----  |country   |content         |subscriptionType
web|us,uk,camusic,video,audio|seo-trial,sem-trial,perf-trial
app|us, ca, ch|music, video, audio|seo-trial,sem-trial,perf-trial
Tags (1)
0 Karma

HiroshiSatoh
Champion

Using the TOP command is like this.

(your search)
|top 3 country,content,subscriptionType by platform

results:

platform,country,content,subscriptionType,count

app,us,music,seo-trial,100
app,ca,music,sem-trial,50
app,ch,music,perf-trial,10
web,us,music,seo-trial,150
web,uk,video,sem-trial,100
web,ca,audio,perf-trial,30

0 Karma

ausche
New Member

That would be the top of those dimensions together, but how do we achieve top of each dimension independently?

0 Karma

HiroshiSatoh
Champion

Is it like this?

(your search)|top 3 country by platform
| append [search (your search)|top 3 content by platform]
| append [search (your search)|top 3 subscriptionTypeby platform]
| fields - count percent
|stats list(*) as * by platform
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...