Splunk Search
Highlighted

How to get the top 3 counts for each index?

Explorer

Let me make an example to clarify:

Now I have the search result like this:
alt text

How can I get the top 3 counts of each index?
In the end, I want to get search result like this:
alt text

Hope this is clear. Thanks in advance!

Tags (3)
0 Karma
Highlighted

Re: How to get the top 3 counts for each index?

Esteemed Legend

You need the top command, like this:

... | top limit=3 count BY index

Or, to keep the country field, this:

... | sort 0 - count | streamstats current=t count AS rank by index | where rank<4 | sort 0 index count

View solution in original post

Highlighted

Re: How to get the top 3 counts for each index?

Explorer

Thanks, the second one works!

0 Karma
Highlighted

Re: How to get the top 3 counts for each index?

Esteemed Legend

Which one?

0 Karma
Highlighted

Re: How to get the top 3 counts for each index?

Explorer

Thanks! the second one works perfectly!

0 Karma