Hi.
I have a search as below
index=myindex sourcetype=mytype field1=* field2=* |stats count(eval(condition1)) as count1 count(eval(condition2)) as count 2 by field1 field2
Now, field1 and field2 has more than 10k values. so I need to find the top 100 values of field1 & field2 and use only that to my |stats
Tried something like this:
index=myindex sourcetype=mytype field1=* field2=* [|search index=myindex sourcetype=mytype field1=* field2=* |top 100 field1 field2 |fields field1 field2 |format]
|stats count(eval(condition1)) as count1 count(eval(condition2)) as count 2 by field1 field2
but didn't work as expected
Can you please try this?
index=myindex sourcetype=mytype [
index=myindex sourcetype=mytype field1=* field2=* | top 100 field1 field2 | table field1 field2 ]
| stats count(eval(condition1)) as count1 count(eval(condition2)) as count2 by field1 field2
OR
index=myindex sourcetype=mytype field1=* field2=*
| stats count(eval(condition1)) as count1 count(eval(condition2)) as count2 count as cnt by field1 field2
| sort - cnt | head 100
Thanks
KV
▄︻̷̿┻̿═━一 😉
If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.
Is it possible that you need is the command head? Something like this:
index=myindex sourcetype=mytype field1=* field2=*
| stats count(eval(condition1)) as count1 count(eval(condition2)) as count2 by field1 field2
| sort -count1, -count2
| head 100
Can you please try this?
index=myindex sourcetype=mytype [
index=myindex sourcetype=mytype field1=* field2=* | top 100 field1 field2 | table field1 field2 ]
| stats count(eval(condition1)) as count1 count(eval(condition2)) as count2 by field1 field2
OR
index=myindex sourcetype=mytype field1=* field2=*
| stats count(eval(condition1)) as count1 count(eval(condition2)) as count2 count as cnt by field1 field2
| sort - cnt | head 100
Thanks
KV
▄︻̷̿┻̿═━一 😉
If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.
thanks @kamlesh_vaghela
Your first solution worked as expected!