Splunk Search

Is it possible to find the most common value of a field per user?

HeinzWaescher
Motivator

Hi,

Is it possible to find out the most common value of field=A for every user?

I would expect something like this, but i don't know a corresponding stats function:

... | stats function(country_code) BY user_id

BR

Heinz

Tags (1)
0 Karma
1 Solution

alacercogitatus
SplunkTrust
SplunkTrust

Here, you would most likely want to use top:

... | top limit=1 country_code by user_id

This will give you the top country_code, limit of 1 per user.

View solution in original post

p3hndrx
Explorer

I think you are looking for mode(x):

 <your search> | stats mode(country_code) by user_id
0 Karma

malvidin
Communicator

 

I agree that mode function is most likely what @HeinzWaescher  was looking for. 

Because it is a stats function, you can also use it with eventstats to keep the events. 

| eventstats mode(country_code) by user_id

For the example initially provided, the top command does not appear any better than the stats mode() command provided by @p3hndrx. But if you the top N values (N>=2), there is no function like values() that returns them sorted by frequency of occurrence. 

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Here, you would most likely want to use top:

... | top limit=1 country_code by user_id

This will give you the top country_code, limit of 1 per user.

View solution in original post