Splunk Search

How to use the result of top command to a stats command?

innoce
Path Finder

Hi.
I have a search as below

index=myindex sourcetype=mytype field1=* field2=* |stats count(eval(condition1)) as count1 count(eval(condition2)) as count 2 by field1 field2

Now, field1 and field2 has more than 10k values. so I need to find the top 100 values of field1 & field2 and use only that to my |stats

Tried something like this:

index=myindex sourcetype=mytype field1=* field2=* [|search index=myindex sourcetype=mytype field1=* field2=* |top 100 field1 field2 |fields field1 field2 |format] 
|stats count(eval(condition1)) as count1 count(eval(condition2)) as count 2 by field1 field2


but didn't work as expected


Labels (1)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@innoce 

Can you please try this?

index=myindex sourcetype=mytype [
index=myindex sourcetype=mytype field1=* field2=* | top 100 field1 field2 | table  field1 field2 ]
| stats count(eval(condition1)) as count1 count(eval(condition2)) as count2 by field1 field2

 

OR

index=myindex sourcetype=mytype field1=* field2=* 
| stats count(eval(condition1)) as count1 count(eval(condition2)) as count2 count as cnt by field1 field2
| sort - cnt | head 100

 

Thanks
KV
▄︻̷̿┻̿═━一   😉

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

rafadvega
Path Finder

Is it possible that you need is the command head? Something like this:

index=myindex sourcetype=mytype field1=* field2=* 
| stats count(eval(condition1)) as count1 count(eval(condition2)) as count2 by field1 field2
| sort -count1, -count2
| head 100
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@innoce 

Can you please try this?

index=myindex sourcetype=mytype [
index=myindex sourcetype=mytype field1=* field2=* | top 100 field1 field2 | table  field1 field2 ]
| stats count(eval(condition1)) as count1 count(eval(condition2)) as count2 by field1 field2

 

OR

index=myindex sourcetype=mytype field1=* field2=* 
| stats count(eval(condition1)) as count1 count(eval(condition2)) as count2 count as cnt by field1 field2
| sort - cnt | head 100

 

Thanks
KV
▄︻̷̿┻̿═━一   😉

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

innoce
Path Finder

thanks @kamlesh_vaghela 

Your first solution worked as expected!

0 Karma
Get Updates on the Splunk Community!

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...