I want to list the top 3 elements for each group. How would you do this?
Examples
Name score
Jon 100
Jon 54
Jon 90
Jon 72
Jon 87
Jane 89
Jane 99
Jane 66
Jane 56
Jane 100
Show the top 3 scores for each person?
Name score
Jon 100
Jon 90
Jon 87
Jane 100
Jane 99
Jane 89
Thanks! That worked and that was a really fast response. Very impressed with this community. Thanks splunkers!
Thanks! That worked and that was a really fast response. Very impressed with this community. Thanks splunkers!
Hey @peterlandis, Welcome to the Answers community! @cmerriman and @woodcock are awesome and super helpful. You can accept one of the answers and upvote the second if both worked for you. (You can actually upvote both as well.) This helps others use the answer in the future and awards everyone karma points. 🙂
Like this:
... | sort 0 Name -score | dedup 3 Name
@woodcock I know this is an old thread, but I had similar requirement. Is it possible that this can be done without doing dedup ?
Is dedup not costly?
Thank You.
Sure you can. You already had the answer here.
Thanks! This worked perfectly. Appreciate the quick response.
Just curious why sort 0. What does 0 do?
It makes it unlimited, otherwise it limits to 10K. Be sure to click Accept
to close the question.
0 essentially means there is no limit to how many events will be sorted. otherwise there is a default limit of 10000
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sort
something like this should work ...|sort 0 Name - score|streamstats count by Name|search count<4|fields - count