Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to edit my search to find the top 5 distinct count and the total?

splunkrocks2014
Communicator
‎02-06-2017 08:44 PM

Assuming I have a lookup table with movie title and location, and I got the top 5 location based on distinct title count from the following search. What is the best way to get the top 5 distinct title count and the total from a search? Thanks. 

| inputlookup movies.csv | stats dc(title) as count by location | sort limit=5 -count
0 Karma
Reply

aaraneta_splunk
Splunk Employee
Splunk Employee
‎03-11-2017 09:05 AM

@splunkrocks2014 - Looks like you have a few possible solutions to your question. If one of them provided a working solution, please don't forget to click "Accept" below the best answer to resolve this post. If you still need help, please leave a comment. Don’t forget to upvote anything that was helpful too. Thanks!

Reply

woodcock
Esteemed Legend
‎02-07-2017 07:17 AM

Like this:

| inputlookup movies.csv | eventstats dc(title) AS TotalTitles | stats first(TotalTitles) AS TotalTitles dc(title) AS count BY location | sort 5 -count | eval count = count . "/" . TotalTitles | fields - TotalTitles
0 Karma
Reply

somesoni2
Revered Legend
‎02-07-2017 06:47 AM

Try like this

| inputlookup movies.csv | stats dc(title) as count by location | eventstats sum(count) as total | sort limit=5 -count
0 Karma
Reply

adayton20
Contributor
‎02-07-2017 04:41 AM

Are you simply trying to sum a total count from all the distinct title counts? Ie, adding together all counts in the column? You could try using addcoltotals: https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Addcoltotals

If that doesn't answer your question, could you describe a little further what you're looking for?

0 Karma
Reply

splunkrocks2014
Communicator
‎02-07-2017 06:10 AM

If the query doesn't calculate the unique count, "addcoltotals" does all the work, for instance,

| inputlookup movies.csv | stats count(title) as count by location | sort limit=5 -count | addcoltotals

However, when used in the distinct query, "addcoltotals" adds up all numbers from dc(Title) which is incorrect.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-06-2017 11:39 PM

Hi splunkrocks2014,
what is your question? your search seems to be correct.
Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...