Solved: Re: How to do a top limit on a table after a trans...

bmo017 · ‎08-18-2016

Hello,

I am trying to do a search to have a table display each country, and then from that, show the top three Services Ran. I am stumped with how to limit the ServiceRan column to only show the top three for each country without messing it up.

sourcetype= action=X| transaction country| table country,serviceRan

Currently with this search it outputs a table and displays two columns one being the country with one value, and another being the serviceRan with anywhere from 1 to 10 values for each country. Again, I would like to limit the serviceRan to only showing the top 3 results for that particular country.

sundareshr · ‎08-18-2016

Try this approach instead

sourcetype= action=X | streamstats count by country | where count<=3 | table  country serviceRan

*OR*

sourcetype= action=X | streamstats count by country | where count<=3 | stats values(serviceRan) as serviceRan by country

View solution in original post

sundareshr · ‎08-18-2016

Try this approach instead

sourcetype= action=X | streamstats count by country | where count<=3 | table  country serviceRan

*OR*

sourcetype= action=X | streamstats count by country | where count<=3 | stats values(serviceRan) as serviceRan by country

bmo017 · ‎08-19-2016

Perfect thank you, the second one worked perfect!

How to do a top limit on a table after a transaction search?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor