Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to return the 5 most repeat_count values per environment?

harsush
Path Finder
‎04-04-2018 10:15 AM

Hi Team,

need your help 

sourcetype=amc| search environment=* |top 5 showperc=f countfield="repeat_count" environment nodename

environment nodename    repeat_count
DR          Hostname1   636
Prod        Hostname2   117
Prod        Hostname3   108
Prod        Hostname4   102
Prod        Hostname5   87

who to get top 5 repeat_count host per environment [example show below] 

environment nodename    repeat_count
DR          Hostname1   636
DR          Hostname12  637
DR          Hostname13  638
DR          Hostname14  639
DR          Hostname15  640
Prod        Hostname21  117
Prod        Hostname22  108
Prod        Hostname23  102
Prod        Hostname24  87
Prod        Hostname25  86
Tags (2)
0 Karma
Reply

elliotproebstel
Champion
‎04-04-2018 10:30 AM

This should do what you're looking for:

sourcetype=amc environment=* 
| stats count AS repeat_count BY environment nodename 
| sort 0 - environment repeat_count 
| streamstats count AS top_count BY environment 
| where top_count<=5 
| fields environment nodename repeat_count

After generating the repeat_count value, it sorts all the values within each environment category by repeat_count. It then uses streamstats to generate a top_count value within each environment category. It filters out events with a top_count value greater than 5 (preserving only the top 5), and then organizes the fields as you displayed them.

0 Karma
Reply

harsush
Path Finder
‎04-04-2018 10:36 AM

repeat_count is a field which has count of number of alerts

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...