Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to edit my search to find the top 5 distinct count and the total?

splunkrocks2014
Communicator
‎02-06-2017 08:44 PM

Assuming I have a lookup table with movie title and location, and I got the top 5 location based on distinct title count from the following search. What is the best way to get the top 5 distinct title count and the total from a search? Thanks. 

| inputlookup movies.csv | stats dc(title) as count by location | sort limit=5 -count
0 Karma
Reply

aaraneta_splunk
Splunk Employee
Splunk Employee
‎03-11-2017 09:05 AM

@splunkrocks2014 - Looks like you have a few possible solutions to your question. If one of them provided a working solution, please don't forget to click "Accept" below the best answer to resolve this post. If you still need help, please leave a comment. Don’t forget to upvote anything that was helpful too. Thanks!

Reply

woodcock
Esteemed Legend
‎02-07-2017 07:17 AM

Like this:

| inputlookup movies.csv | eventstats dc(title) AS TotalTitles | stats first(TotalTitles) AS TotalTitles dc(title) AS count BY location | sort 5 -count | eval count = count . "/" . TotalTitles | fields - TotalTitles
0 Karma
Reply

somesoni2
Revered Legend
‎02-07-2017 06:47 AM

Try like this

| inputlookup movies.csv | stats dc(title) as count by location | eventstats sum(count) as total | sort limit=5 -count
0 Karma
Reply

adayton20
Contributor
‎02-07-2017 04:41 AM

Are you simply trying to sum a total count from all the distinct title counts? Ie, adding together all counts in the column? You could try using addcoltotals: https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Addcoltotals

If that doesn't answer your question, could you describe a little further what you're looking for?

0 Karma
Reply

splunkrocks2014
Communicator
‎02-07-2017 06:10 AM

If the query doesn't calculate the unique count, "addcoltotals" does all the work, for instance,

| inputlookup movies.csv | stats count(title) as count by location | sort limit=5 -count | addcoltotals

However, when used in the distinct query, "addcoltotals" adds up all numbers from dc(Title) which is incorrect.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-06-2017 11:39 PM

Hi splunkrocks2014,
what is your question? your search seems to be correct.
Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...