Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write a search to find the top 10 results based on a calculated field?

nibinabr
Communicator
‎01-19-2015 07:38 AM

Hi Splunkers,

I had a question 

ID       N1     N2    USER  CALCULATED_NUM
001      10     2     user_1    8
002      8      4     user_2    4
003      7      9     user_1   -2
.
.

CALCULATED_NUM=N1-N2

I need to write a search query that returns the top 10 CALCULATED_NUM by each USER.

....| table ID,CALCULATED_NUM,USER| sort by USER,-CALCULATED_NUM

gives me all the ID's sorted by user with CALCULATED_NUM sorted in desc order, but I need only the top 10 IDs per USER.

Thanks

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎01-19-2015 09:07 AM

Hi nibinabr,

Look at this answer http://answers.splunk.com/answers/208658/how-to-limit-results-with-multiple-group-by-condit.html#ans... to get an example how this can be done.

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎01-19-2015 09:07 AM

Hi nibinabr,

Look at this answer http://answers.splunk.com/answers/208658/how-to-limit-results-with-multiple-group-by-condit.html#ans... to get an example how this can be done.

cheers, MuS

Reply
Solved! Jump to solution

nibinabr
Communicator
‎01-19-2015 09:10 AM

Thanks MuS,

I found a similar post that helped me get into the solution.

http://answers.splunk.com/answers/148651/how-to-get-top-2-mb-users-per-website.html

Reply
Solved! Jump to solution

nibinabr
Communicator
‎01-19-2015 09:09 AM

I think I found a solution to the problem.

...| streamstats count by USER |table ID,CALCULATED_NUM,USER,count| sort by USER,-CALCULATED_NUM| where count<=10

Please let me know if there is straightforward way of doing this.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...