Splunk Search

How to use the result of top command to a stats command?

innoce
Explorer

Hi.
I have a search as below

index=myindex sourcetype=mytype field1=* field2=* |stats count(eval(condition1)) as count1 count(eval(condition2)) as count 2 by field1 field2

Now, field1 and field2 has more than 10k values. so I need to find the top 100 values of field1 & field2 and use only that to my |stats

Tried something like this:

index=myindex sourcetype=mytype field1=* field2=* [|search index=myindex sourcetype=mytype field1=* field2=* |top 100 field1 field2 |fields field1 field2 |format] 
|stats count(eval(condition1)) as count1 count(eval(condition2)) as count 2 by field1 field2


but didn't work as expected


Labels (1)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@innoce 

Can you please try this?

index=myindex sourcetype=mytype [
index=myindex sourcetype=mytype field1=* field2=* | top 100 field1 field2 | table  field1 field2 ]
| stats count(eval(condition1)) as count1 count(eval(condition2)) as count2 by field1 field2

 

OR

index=myindex sourcetype=mytype field1=* field2=* 
| stats count(eval(condition1)) as count1 count(eval(condition2)) as count2 count as cnt by field1 field2
| sort - cnt | head 100

 

Thanks
KV
▄︻̷̿┻̿═━一   😉

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

rafadvega
Path Finder

Is it possible that you need is the command head? Something like this:

index=myindex sourcetype=mytype field1=* field2=* 
| stats count(eval(condition1)) as count1 count(eval(condition2)) as count2 by field1 field2
| sort -count1, -count2
| head 100
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@innoce 

Can you please try this?

index=myindex sourcetype=mytype [
index=myindex sourcetype=mytype field1=* field2=* | top 100 field1 field2 | table  field1 field2 ]
| stats count(eval(condition1)) as count1 count(eval(condition2)) as count2 by field1 field2

 

OR

index=myindex sourcetype=mytype field1=* field2=* 
| stats count(eval(condition1)) as count1 count(eval(condition2)) as count2 count as cnt by field1 field2
| sort - cnt | head 100

 

Thanks
KV
▄︻̷̿┻̿═━一   😉

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

innoce
Explorer

thanks @kamlesh_vaghela 

Your first solution worked as expected!

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>