Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get only first 3 events as a result for each event/Field?

thezero
Path Finder
‎10-27-2014 07:04 PM

I am attempting to get first 3 events for each user field for which user count>3.

Basically what I am looking for is

1)Get stats count for user field out of all data

2)Identify events for which user count>3

3)Get only top 3 users out of all data for - user count>3

4)and final result which display only first 3 events for each user

for below query I am getting user count and top 3 users with max count.

index=windows | stats count by user | sort - count | head 3 |where count>3

result:

User count

User1 8
user2 4
user3 6

I want final result as 9 events---->containing first 3 events for each user.

Could you please advice?

Reply

jitsinha
Path Finder
‎11-10-2014 02:36 AM

try | head 3 after your search query

0 Karma
Reply

thezero
Path Finder
‎11-10-2014 12:24 AM

H Gkanapathy,

Thanks for the asnswer but its still showing only 3 results 😞

Regards,
Rahul

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎10-28-2014 07:28 AM

Ah I see you've modified your question. Then perhaps:

index=windows [ search index=windows | top limit=3 showperc=f user | where count > 3 ] | eventstats count by user | dedup 3 user sortby - count

0 Karma
Reply

Jeff_Lightly_Sp
Communicator
‎10-28-2014 07:27 AM

Does this get close to what you need? i just used 'eventtype' as an example.

index=windows | stats count by user,eventtype | sort - user,eventtype | where count > 3 | top limit=3 eventtype by user

0 Karma
Reply

davebrooking
Contributor
‎10-28-2014 03:40 AM

I think the streamstats command is what you may need to use to rank the events - take a look at this answer, I believe it should point you in the right direction

Dave

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎10-27-2014 07:51 PM 
index=windows | top limit=3 user | where count > 3
0 Karma
Reply

0YAoNnmRmKDg
Path Finder
‎10-27-2014 07:31 PM

try this

index=windows | stats count by user | where count>3 | top 3

otherwise try expanding your question a bit - its a little hard to follow...

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...