Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to get 1st 3 count

mahesh27
Communicator
‎05-05-2024 06:14 PM

Query:

|mstats sum(error.count) as Count where index=metrics_data by provider errorid errorname 
|search errorname=apf



Results:

provider errorid errorname Count
Digital it 401 apf 200.0000
Data St 200 apf 500.0000
dtst 0 apf 18.0000
Digital it 100 apf 55.0000
dtst 501 apf 16.0000
Digital it 0 apf 20.0000
Data St 200 apf 300.0000
dtst 201 apf 12.0000
Data St 404 apf 20.0000
Digital it 201 apf 10.0000
Data St 501 apf 10.0000
dtst 201 apf 9.0000
Data St 401 apf 8.0000
dtst 500 apf 3.0000
Data St 555 apf 5.0000
dtst 200 apf 2.0000


expected results:

provider errorname errorid Count
Digital it apf 401
100
0		 200.0000
55.0000
20.0000
Data St apf 200
200
404		 500.0000
300.0000
20.0000
dtst apf 0
501
201		 18.0000
16.0000
12.0000



Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎05-05-2024 08:20 PM

One way on a small table (less than 100 items per provider) is to use stats list and then keep the first 3, here's an example

| makeresults format=csv data="provider,errorid,errorname,Count
Digital it,401,apf,200.0000
Data St,200,apf,500.0000
dtst,0,apf,18.0000
Digital it,100,apf,55.0000
dtst,501,apf,16.0000
Digital it,0,apf,20.0000
Data St,200,apf,300.0000
dtst,201,apf,12.0000
Data St,404,apf,20.0000
Digital it,201,apf,10.0000
Data St,501,apf,10.0000
dtst,201,apf,9.0000
Data St,401,apf,8.0000
dtst,500,apf,3.0000
Data St,555,apf,5.0000
dtst,200,apf,2.0000"
``` list() will retain order, but has a max of 100 items ```
| stats list(*) as * by provider errorname
``` This just retains the first 3 ```
| foreach Count errorid [ eval <<FIELD>>=mvindex(<<FIELD>>, 0, 2) ]

but if you have more complex data, it may not be suitable.

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎05-05-2024 09:22 PM

and a final way, again using streamstats, but with a more optimised way of collecting the results - if you have a lot of data, it's worth benchmarking each of these solutions as they may have different performance characteristics

| makeresults...
| streamstats count as seq global=f by provider errorname
| streamstats global=f list(eval(if(seq<4, Count, null()))) as Count list(eval(if(seq<4, errorid, null()))) as errorid by provider errorname
| where seq=3
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-06-2024 12:18 AM 
| streamstats list(Count) as Count list(errorid) as errorid by provider errorname global=f window=4
| where mvcount(Count) = 3

By setting the window to 4, only the 3rd one will have 3 values in the list

Reply

bowesmana
SplunkTrust
SplunkTrust
‎05-06-2024 03:16 PM

Sweet - nice optimisation

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎05-05-2024 08:29 PM

Or you can use streamstats,

| makeresults...
| streamstats count as seq window=3 global=f list(*) as * by provider errorname
| where seq=3
| fields - seq
| streamstats count as seq window=3 global=f list(*) as * by provider errorname
| where seq=1
| fields - seq

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...