Hi,
Is it possible to find out the most common value of field=A for every user?
I would expect something like this, but i don't know a corresponding stats function:
... | stats function(country_code) BY user_id
BR
Heinz
Here, you would most likely want to use top
:
... | top limit=1 country_code by user_id
This will give you the top
country_code, limit of 1 per user.
I think you are looking for mode(x):
<your search> | stats mode(country_code) by user_id
I agree that mode function is most likely what @HeinzWaescher was looking for.
Because it is a stats function, you can also use it with eventstats to keep the events.
| eventstats mode(country_code) by user_id
For the example initially provided, the top command does not appear any better than the stats mode() command provided by @p3hndrx. But if you the top N values (N>=2), there is no function like values() that returns them sorted by frequency of occurrence.
Here, you would most likely want to use top
:
... | top limit=1 country_code by user_id
This will give you the top
country_code, limit of 1 per user.