Let me make an example to clarify:
Now I have the search result like this:
How can I get the top 3 counts of each index?
In the end, I want to get search result like this:
Hope this is clear. Thanks in advance!
You need the top command, like this:
... | top limit=3 count BY index
Or, to keep the country field, this:
... | sort 0 - count | streamstats current=t count AS rank by index | where rank<4 | sort 0 index count
View solution in original post
Thanks, the second one works!
Thanks! the second one works perfectly!