Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use the result of top command to a stats command?

innoce
Path Finder
‎11-12-2021 02:10 AM

Hi.
I have a search as below

index=myindex sourcetype=mytype field1=* field2=* |stats count(eval(condition1)) as count1 count(eval(condition2)) as count 2 by field1 field2

Now, field1 and field2 has more than 10k values. so I need to find the top 100 values of field1 & field2 and use only that to my |stats

Tried something like this:

index=myindex sourcetype=mytype field1=* field2=* [|search index=myindex sourcetype=mytype field1=* field2=* |top 100 field1 field2 |fields field1 field2 |format] 
|stats count(eval(condition1)) as count1 count(eval(condition2)) as count 2 by field1 field2


but didn't work as expected


Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-12-2021 07:14 AM

@innoce 

Can you please try this?

index=myindex sourcetype=mytype [
index=myindex sourcetype=mytype field1=* field2=* | top 100 field1 field2 | table  field1 field2 ]
| stats count(eval(condition1)) as count1 count(eval(condition2)) as count2 by field1 field2

 

OR

index=myindex sourcetype=mytype field1=* field2=* 
| stats count(eval(condition1)) as count1 count(eval(condition2)) as count2 count as cnt by field1 field2
| sort - cnt | head 100

 

Thanks
KV
▄︻̷̿┻̿═━一   😉

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

rafadvega
Path Finder
‎11-12-2021 07:19 AM

Is it possible that you need is the command head? Something like this:

index=myindex sourcetype=mytype field1=* field2=* 
| stats count(eval(condition1)) as count1 count(eval(condition2)) as count2 by field1 field2
| sort -count1, -count2
| head 100
0 Karma
Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-12-2021 07:14 AM

@innoce 

Can you please try this?

index=myindex sourcetype=mytype [
index=myindex sourcetype=mytype field1=* field2=* | top 100 field1 field2 | table  field1 field2 ]
| stats count(eval(condition1)) as count1 count(eval(condition2)) as count2 by field1 field2

 

OR

index=myindex sourcetype=mytype field1=* field2=* 
| stats count(eval(condition1)) as count1 count(eval(condition2)) as count2 count as cnt by field1 field2
| sort - cnt | head 100

 

Thanks
KV
▄︻̷̿┻̿═━一   😉

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

Reply
Solved! Jump to solution

innoce
Path Finder
‎11-17-2021 11:12 PM

thanks @kamlesh_vaghela 

Your first solution worked as expected!

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top