Hi Team,
I have the following result in place with 30min bucket using stats values() and then xyseries
time field1 field2 field3 field4
05:30 | 4,10,11,12,30 | 1,13,14,9,8,7 | 5,7,3,8,9,1,55 | 23,24,17,18,19 |
06:00 | 19,10,11,12,30 | 12,3,14,9,8,7 | 1,17,3,8,1,34 | 22,2,25,17,18,19 |
06:30 | 20,10,11,12,55 | 11,13,14,9,18,7 | 10,7,3,8,9,1,4 | 23,24,26,1,18,49 |
07:00 | 21,10,11,12,44 | 12,13,17,9,7 | 6,7,3,9,1,23 | 23,24,25,17,18,19 |
07:30 | 31,10,11,12,50 | 1,13,14,9,8,7 | 5,7,3,8,9,11 | 23,24,25,17,18,19 |
08:00 | 1,10,11,12,30,88 | 12,13,14,9,81 | 5,7,3,8,9,17 | 23,24,25,17,18,19 |
08:30 | 1,10,11,12,30,99 | 12,13,14,9,81 | 5,7,3,8,9,18 | 23,24,25,17,18,19 |
09:00 | 1,11,12,30,23 | 11,1,14,9,7 | 10,7,3,8,9,18 | 23,24,25,17,18,19 |
09:30 | 1,10,11,12,300 | 12,13,4,9,8,7 | 4,7,3,8,9,1 | 23,24,25,17,18,19 |
Currently the result shows all the values for each field.
What I am looking here is the top 3 values which has maximum count for each field, not sure how to pull that result.
Request someone to guide.
Does something like this work for you?
mysearch
| bin _time span=10min
| stats count by _time xyz result
| sort _time xyz -count
| streamstats count as rank global=f by _time xyz
| where rank < 4
| eval result=result."(".count.")"
| stats delim=", " values(result) AS result by _time xyz
| nomv result
| xyseries _time xyz result
@ITWhisperer Thank you so much, it worked as expected.
Might be easier if you take a step back - how did you generate these values? There might be a way to limit it to the top 3 values before grouping them with values()
it was like this
mysearch | bucket _time span=10min
| stats delim="," values(result) AS result count by _time xyz
| nomv result
| sort -count
| dedup _time xyz
| sort _time
| xyseries _time xyz result
Note : xyz contains these field1 , field2, field3, field4
also is it possible to append with the values - with its count. like for example :
time field1 field2 field3 field4
05:30 | 4(100),10(40) | 1(100),13(40),14(30) | 5(80),7(60),3(50) | 23(100),24(80),17(50) |
The one in brackets shows the count per each value.
Does something like this work for you?
mysearch
| bin _time span=10min
| stats count by _time xyz result
| sort _time xyz -count
| streamstats count as rank global=f by _time xyz
| where rank < 4
| eval result=result."(".count.")"
| stats delim=", " values(result) AS result by _time xyz
| nomv result
| xyseries _time xyz result