Solved: How to write a search to find the top 10 results b...

nibinabr · ‎01-19-2015

Hi Splunkers,

I had a question

ID       N1     N2    USER  CALCULATED_NUM
001      10     2     user_1    8
002      8      4     user_2    4
003      7      9     user_1   -2
.
.

CALCULATED_NUM=N1-N2

I need to write a search query that returns the top 10 CALCULATED_NUM by each USER.

....| table ID,CALCULATED_NUM,USER| sort by USER,-CALCULATED_NUM

gives me all the ID's sorted by user with CALCULATED_NUM sorted in desc order, but I need only the top 10 IDs per USER.

Thanks

MuS · ‎01-19-2015

Hi nibinabr,

cheers, MuS

MuS · ‎01-19-2015

Hi nibinabr,

cheers, MuS

nibinabr · ‎01-19-2015

Thanks MuS,

I found a similar post that helped me get into the solution.

nibinabr · ‎01-19-2015

I think I found a solution to the problem.

...| streamstats count by USER |table ID,CALCULATED_NUM,USER,count| sort by USER,-CALCULATED_NUM| where count<=10

Please let me know if there is straightforward way of doing this.

How to write a search to find the top 10 results based on a calculated field?