Need help on a query - Splunk Community

Splunk Search

|msats sum(count-error) as Failed where index=metrics_index by service errorNumber errortype

Results:

service	errorNumber	errortype	Failed
aaca	0	fail	8
aaca	10	pass	1000
aaca	25	fail	290
aaca	120	fail	8
aaca	80	pass	800
aaca	200	fail	400
aaca	210	pass	22
aaca	500	fail	10
aaw	120	fail	8
aaw	80	pass	2000
aaw	200	fail	3
aaw	210	pass	56
aaw	500	fail	22
aaw	0	pass	0
www	0	fail	8
www	10	pass	1000
www	25	fail	290
www	120	fail	8
www	80	pass	800
www	200	fail	400
amb	500	fail	10
amb	120	fail	8
amb	80	pass	2000
amb	200	fail	3
amb	210	pass	56
amb	500	fail	22
amb	0	pass	0
asf	0	fail	8
asf	10	pass	1000
asf	0	pass	0
asf	0	fail	8
asf	10	pass	1000

But we want the output as shown below:
We need only top 4 errornumber show up along with the failed count

service	errorNumber	errortype	Failed
aaca	0	fail	2538
10	pass
25	fail
120	fail
80	pass
200	fail
210	pass
500	fail
aaw	120	fail	2089
80	pass
200	fail
210	pass
500	fail
0	pass
www	0	fail	2506
10	pass
25	fail
120	fail
80	pass
200	fail
amb	500	fail	2099
120	fail
80	pass
200	fail
210	pass
500	fail
0	pass
asf	0	fail	2016
10	pass
0	pass
0	fail
10	pass

Either your table is misaligned or you're trying to do something very non-obvious.

I don't understand what is the relation beetween this:

service	errorNumber	errortype	Failed
aaca	0	fail	8
aaca	10	pass	1000
aaca	25	fail	290
aaca	120	fail	8
aaca	80	pass	800
aaca	200	fail	400
aaca	210	pass	22
aaca	500	fail	10

And this:

service	errorNumber	errortype	Failed
aaca	0	fail	2538
10	pass
25	fail
120	fail
80	pass
200	fail
210	pass
500	fail

Also remember that Splunk is not Excel so you can't merge cells

You can filter results like below;

| mstats sum(count-error) as Failed where index=metrics_index by service errorNumber errortype | sort 4 - Failed

If this reply helps you an upvote and "Accept as Solution" is appreciated.

Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience, ...