Splunk Search

How to combine two searches and display as a single table?

pavanae
Builder

I have the below search_1

My search |top 5 users

I have a second search as below

My search |stats values(field_1) as field_1 values(field_2) as field_2 by users

Now how can I combine these two searches and display a result in tabular chart which contains field_1 and field_2 values of the top 5 users only?

0 Karma
1 Solution

MattZerfas
Communicator

Why not just calculate the top users in your stats command by adding a count since that is what top is doing and then only grab the top 5 from the stats results after you sort it ?

... |stats values(field_1) as field_1 values(field_2) as field_2 count by users | sort - count | head 5

View solution in original post

0 Karma

twinspop
Influencer

Use a sub search to collect the top 5 users:

[search My search | top 5 users | fields users] My search |
stats values(field_1) as field_1 values(field_2) as field_2 by users

The results from that sub search are OR'd together, something like this:

(users=ABC OR users=DEF OR users=GHI OR users=JKL OR users=MNO) My search ...
0 Karma

MattZerfas
Communicator

Why not just calculate the top users in your stats command by adding a count since that is what top is doing and then only grab the top 5 from the stats results after you sort it ?

... |stats values(field_1) as field_1 values(field_2) as field_2 count by users | sort - count | head 5
0 Karma

cmerriman
Super Champion
My search |top 5 users|join users [search My search |stats values(field_1) as field_1 values(field_2) as field_2 by users]

it probably isn't the most efficient way but it should work.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...