- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do you list top items for each group?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to list the top 3 elements for each group. How would you do this?
Examples
Name score
Jon 100
Jon 54
Jon 90
Jon 72
Jon 87
Jane 89
Jane 99
Jane 66
Jane 56
Jane 100
Show the top 3 scores for each person?
Name score
Jon 100
Jon 90
Jon 87
Jane 100
Jane 99
Jane 89
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks! That worked and that was a really fast response. Very impressed with this community. Thanks splunkers!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks! That worked and that was a really fast response. Very impressed with this community. Thanks splunkers!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @peterlandis, Welcome to the Answers community! @cmerriman and @woodcock are awesome and super helpful. You can accept one of the answers and upvote the second if both worked for you. (You can actually upvote both as well.) This helps others use the answer in the future and awards everyone karma points. 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
... | sort 0 Name -score | dedup 3 Name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@woodcock I know this is an old thread, but I had similar requirement. Is it possible that this can be done without doing dedup ?
Is dedup not costly?
Thank You.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sure you can. You already had the answer here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks! This worked perfectly. Appreciate the quick response.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just curious why sort 0. What does 0 do?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It makes it unlimited, otherwise it limits to 10K. Be sure to click Accept to close the question.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
0 essentially means there is no limit to how many events will be sorted. otherwise there is a default limit of 10000
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sort
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
something like this should work ...|sort 0 Name - score|streamstats count by Name|search count<4|fields - count
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
