Solved: Re: Returning gamer rank based on region

gg_easy · ‎04-20-2023

Hello Splunk Enthusiast,

Let say I have an index that contains our player base, their gamer scores, their global rank, and the region they play the game in.

In separate search, I calculated the percentage of our players based on the region. The results came back that 70% of our users play in NA, 20% of our users play in SA, and10% of our users play in EU.

I want to create a query that looks at the index and returns the top users based on their global rank, region, and the percentage of our player base.

Example: Lets say the index ranks 2000 users and I want to see the top 100 users. Then 70% of those users must come from NA, 20% must come from SA, 10% players in EU. An additional condition is that this must return the top 100 users regardless of their global rank. If the global_rank of the best SA user is rank 75 and NA users are rank 1-74, then the query must still return the top 70 NA users and whatever global rank the top users from the SA region fall at.

Is there a simple way I can get these values using a combination of stats, top, etc?

somesoni2 · ‎04-21-2023

Give this a try. Everything before "| table user region score rank" is search to generate sample data, replace it with your actual search. On the 2nd the to the last row, the number that is multiplied to field 'perc' ("10*perc") is the number of top results you want to display change it to 100 as per your requirement.

| makeresults | eval raw="user1	NA	99	1#
user2	NA	98	2#
user3	NA	97	3#
user4	NA	96	4#
user5	SA	95	5#
user6	EU	94	6#
user7	NA	93	7#
user8	NA	92	8#
user9	NA	91	9#
user10	NA	90	10#
user11	SA	89	11#
user12	SA	88	12#
user13	NA	87	13#
user14	NA	86	14#
user15	NA	85	15#
user16	NA	84	16#
user17	EU	83	17#
user18	EU	82	18#
user19	EU	81	19#
user20	NA	80	20"| makemv raw delim="#" | mvexpand raw | rex field=raw "(?<user>\S+)\s+(?<region>\S+)\s+(?<score>\S+)\s+(?<rank>\d+)" 
| table user region score rank
| sort  region rank | streamstats count as sno by region | appendpipe [| stats count by region 
    | eventstats sum(count) as total 
    | eval perc=round(count*100/total) 
    | table region perc total] 
    | eventstats values(perc) as perc values(total) as total by region | where isnotnull(user)
    | eval threshold_sno=round(10*perc/100) 
| where sno<=threshold_sno

View solution in original post

somesoni2 · ‎04-21-2023

Give this a try. Everything before "| table user region score rank" is search to generate sample data, replace it with your actual search. On the 2nd the to the last row, the number that is multiplied to field 'perc' ("10*perc") is the number of top results you want to display change it to 100 as per your requirement.

| makeresults | eval raw="user1	NA	99	1#
user2	NA	98	2#
user3	NA	97	3#
user4	NA	96	4#
user5	SA	95	5#
user6	EU	94	6#
user7	NA	93	7#
user8	NA	92	8#
user9	NA	91	9#
user10	NA	90	10#
user11	SA	89	11#
user12	SA	88	12#
user13	NA	87	13#
user14	NA	86	14#
user15	NA	85	15#
user16	NA	84	16#
user17	EU	83	17#
user18	EU	82	18#
user19	EU	81	19#
user20	NA	80	20"| makemv raw delim="#" | mvexpand raw | rex field=raw "(?<user>\S+)\s+(?<region>\S+)\s+(?<score>\S+)\s+(?<rank>\d+)" 
| table user region score rank
| sort  region rank | streamstats count as sno by region | appendpipe [| stats count by region 
    | eventstats sum(count) as total 
    | eval perc=round(count*100/total) 
    | table region perc total] 
    | eventstats values(perc) as perc values(total) as total by region | where isnotnull(user)
    | eval threshold_sno=round(10*perc/100) 
| where sno<=threshold_sno

gg_easy · ‎04-25-2023

This worked perfectly! Thank you, you're a lifesaver!

woodcock · ‎04-20-2023

Give us sample data, your current searches (and output) or both.

How to return gamer rank based on region?

stats

Index This | Forward, I’m heavy; backward, I’m not. What am I?

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!