Splunk Search

How to do a top limit on a table after a transaction search?

Path Finder

Hello,

I am trying to do a search to have a table display each country, and then from that, show the top three Services Ran. I am stumped with how to limit the ServiceRan column to only show the top three for each country without messing it up.

sourcetype= action=X| transaction country| table country,serviceRan

Currently with this search it outputs a table and displays two columns one being the country with one value, and another being the serviceRan with anywhere from 1 to 10 values for each country. Again, I would like to limit the serviceRan to only showing the top 3 results for that particular country.

0 Karma
1 Solution

Legend

Try this approach instead

sourcetype= action=X | streamstats count by country | where count<=3 | table  country serviceRan

*OR*

sourcetype= action=X | streamstats count by country | where count<=3 | stats values(serviceRan) as serviceRan by country

View solution in original post

0 Karma

Legend

Try this approach instead

sourcetype= action=X | streamstats count by country | where count<=3 | table  country serviceRan

*OR*

sourcetype= action=X | streamstats count by country | where count<=3 | stats values(serviceRan) as serviceRan by country

View solution in original post

0 Karma

Path Finder

Perfect thank you, the second one worked perfect!

0 Karma