Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get only first 3 events as a result for each event/Field?

thezero
Path Finder
‎10-27-2014 07:04 PM

I am attempting to get first 3 events for each user field for which user count>3.

Basically what I am looking for is

1)Get stats count for user field out of all data

2)Identify events for which user count>3

3)Get only top 3 users out of all data for - user count>3

4)and final result which display only first 3 events for each user

for below query I am getting user count and top 3 users with max count.

index=windows | stats count by user | sort - count | head 3 |where count>3

result:

User count

User1 8
user2 4
user3 6

I want final result as 9 events---->containing first 3 events for each user.

Could you please advice?

Reply

jitsinha
Path Finder
‎11-10-2014 02:36 AM

try | head 3 after your search query

0 Karma
Reply

thezero
Path Finder
‎11-10-2014 12:24 AM

H Gkanapathy,

Thanks for the asnswer but its still showing only 3 results 😞

Regards,
Rahul

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎10-28-2014 07:28 AM

Ah I see you've modified your question. Then perhaps:

index=windows [ search index=windows | top limit=3 showperc=f user | where count > 3 ] | eventstats count by user | dedup 3 user sortby - count

0 Karma
Reply

Jeff_Lightly_Sp
Communicator
‎10-28-2014 07:27 AM

Does this get close to what you need? i just used 'eventtype' as an example.

index=windows | stats count by user,eventtype | sort - user,eventtype | where count > 3 | top limit=3 eventtype by user

0 Karma
Reply

davebrooking
Contributor
‎10-28-2014 03:40 AM

I think the streamstats command is what you may need to use to rank the events - take a look at this answer, I believe it should point you in the right direction

Dave

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎10-27-2014 07:51 PM 
index=windows | top limit=3 user | where count > 3
0 Karma
Reply

0YAoNnmRmKDg
Path Finder
‎10-27-2014 07:31 PM

try this

index=windows | stats count by user | where count>3 | top 3

otherwise try expanding your question a bit - its a little hard to follow...

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...
Top