Splunk Search

How do I give same rank for same score?

LearningGuy
Builder

Hello,
How do I give same rank for same score?
Student d and e has the same score of 73, thus they both Rank 4, but student f has Rank 6. Rank 5 is skipped because Student d and e has the same score. 
Thank you for your help

Expected result:

StudentScoreRank
a1001
b952
c843
d734
e734
f546
g437
h378
i229
j1210

 

This is what I figured out so far, but i won't take into consideration of same Score

 

 

| makeresults format=csv data="Student, Score  
a,100 
b,95
c,84
d,73
e,73
f,54
g,43
h,37
i,22
j,12"
| streamstats count

 

 

 

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| streamstats count as Rank
| streamstats window=2 range(Score) as range
| eval Rank=if(Rank=1 OR range != 0, Rank, null())
| filldown Rank

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

@LearningGuy as I said in the other post - you can probably solve that problem 😁

and as usual, @ITWhisperer comes up with the perfect elegant solution!

ITWhisperer
SplunkTrust
SplunkTrust
| streamstats count as Rank
| streamstats window=2 range(Score) as range
| eval Rank=if(Rank=1 OR range != 0, Rank, null())
| filldown Rank

LearningGuy
Builder

Hello
I tried your suggestion and it worked. I accepted this solution and will try on real data.
1)  Can you explain what this eval for?
It looks like if range is 0, you replace the pos with NULL and fill down with previous value, except for position one?

| eval Rank=if(Rank=1 OR range != 0, Rank, null())

  
2) Would it be possible to use only 1 streamstats instead of 2 streamstats?  

Thank you so much for your help

0 Karma

shalomsuresh
Explorer

If you want to avoid using 2 streamstats you shall try this way,

| streamstats count as Rank
| delta Score as Diff
| eval Rank=if(Diff=0,Rank-1,Rank)
| fields - Diff

And with 2 streamstats you shall try this so to avoid 1 extra filldown command,

| streamstats count as Rank
| streamstats window=2 range(Score) as range
| eval Rank=if(Rank=1 OR range != 0, Rank, Rank-1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

@shalomsuresh These solutions don't work if there are more than 3 with the same score, e.g. if "f" had a score of 73 as well.

shalomsuresh
Explorer

Yep you are right, I wasn't thinking about that. We can still use the following,

| streamstats count as Rank
| delta Score as Diff
| eval Rank=if(Diff=0,null,Rank)
| filldown
| fields - Diff
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

1) If the Rank is 1, it needs to remain 1, or if there is a difference in values, the rank needs to remain the same (as it is already correct), otherwise, if there is no difference between the current and previous value, the rank should be the same as the previous rank. By setting it to null(), when the filldown happens, the rank is copied down to all positions with the same rank.

2) It is not possible to do with just one streamstats because the first streamstats has to operate over the whole pipeline, whereas the second has to operate with a (rolling) window of two events.

PickleRick
SplunkTrust
SplunkTrust

2) Actually you can get away with just one streamstats. Replace the other one with autoregress. (But yes, it will still give you two separate passes across your results)

ITWhisperer
SplunkTrust
SplunkTrust

Autoregress is the same as

| streamstats window=2 current=f last(Score) as Score_p1

PickleRick
SplunkTrust
SplunkTrust

Sure, it is. But it's formally a different command 😉

PickleRick
SplunkTrust
SplunkTrust

From the top of my head. Untested, might need some tweaking.

| stats values(App) as App count by Score
| streamstats sum(count) as rank
| mvexpand App
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...