Splunk Search

How to use the result of top command to a stats command?

innoce
Path Finder

Hi.
I have a search as below

index=myindex sourcetype=mytype field1=* field2=* |stats count(eval(condition1)) as count1 count(eval(condition2)) as count 2 by field1 field2

Now, field1 and field2 has more than 10k values. so I need to find the top 100 values of field1 & field2 and use only that to my |stats

Tried something like this:

index=myindex sourcetype=mytype field1=* field2=* [|search index=myindex sourcetype=mytype field1=* field2=* |top 100 field1 field2 |fields field1 field2 |format] 
|stats count(eval(condition1)) as count1 count(eval(condition2)) as count 2 by field1 field2


but didn't work as expected


Labels (1)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@innoce 

Can you please try this?

index=myindex sourcetype=mytype [
index=myindex sourcetype=mytype field1=* field2=* | top 100 field1 field2 | table  field1 field2 ]
| stats count(eval(condition1)) as count1 count(eval(condition2)) as count2 by field1 field2

 

OR

index=myindex sourcetype=mytype field1=* field2=* 
| stats count(eval(condition1)) as count1 count(eval(condition2)) as count2 count as cnt by field1 field2
| sort - cnt | head 100

 

Thanks
KV
▄︻̷̿┻̿═━一   😉

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

rafadvega
Path Finder

Is it possible that you need is the command head? Something like this:

index=myindex sourcetype=mytype field1=* field2=* 
| stats count(eval(condition1)) as count1 count(eval(condition2)) as count2 by field1 field2
| sort -count1, -count2
| head 100
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@innoce 

Can you please try this?

index=myindex sourcetype=mytype [
index=myindex sourcetype=mytype field1=* field2=* | top 100 field1 field2 | table  field1 field2 ]
| stats count(eval(condition1)) as count1 count(eval(condition2)) as count2 by field1 field2

 

OR

index=myindex sourcetype=mytype field1=* field2=* 
| stats count(eval(condition1)) as count1 count(eval(condition2)) as count2 count as cnt by field1 field2
| sort - cnt | head 100

 

Thanks
KV
▄︻̷̿┻̿═━一   😉

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

innoce
Path Finder

thanks @kamlesh_vaghela 

Your first solution worked as expected!

0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...