Splunk Search

How to find top results by another field while including time in the table output?

jfreund
Explorer

Hey folks, I have data formatted as follows

time fielda fieldb

I want to find the top 3 values of fielda for each of fieldb, but for each result I need to know the time for which the top value occurred.

I found I can use top to get the top 3 fielda by fieldb, yet time is stripped from the table:
|top limit=3 fielda by fieldb

Is there a way to use top to maintain that data, or perhaps an alternative command or set of commands I can use to get what I'm looking for?

Tags (1)
0 Karma

lguinn2
Legend

Try this:

yoursearchhere
| sort 0 fieldb -fielda
| eval counter=1
| streamstats current=true global=f sum(counter) as index by fieldb
| where index < 4
| table fieldb fielda _time
0 Karma

jfreund
Explorer

The data set includes a time value for each entry (hence the "time" field I listed in line 2 of my inquiry). That is the time of the entry containing fielda and fieldb. So I want that field maintained in the resulting top output. It could be time or anything else really.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Do you mean maximum value instead of top value for fielda?

0 Karma

lguinn2
Legend

I think that is what jfreund meant

0 Karma

lguinn2
Legend

What do you mean by "when the top value occurred"? The top command counts the number of events for each value of fielda and fieldb. Therefore the count covers a number of events, not just one. You could use the time of the first event for each value, or the last event or even something else ...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...