Populating top 2 failed-policy counts for each cyc... - Splunk Community

Splunk Search

I am trying to write a search for getting the top two failed policy count for each cycledate. The below works for a single day but not for multiple cycledates.

index=xxx host=yy* source="*E:\\logfile\*" tag="*error*" "Error ==>*" | stats distinct_count(polnum) as FailedPolicy by error_message, err_code, cycledate | sort 2-FailedPolicy

Table without the sort 2 -FailedPolicy

error_ message	err_Code	CycleDate	FailedPolicy
Err1	20167	09112020	35
Err2	23461	09112020	12
Err3	23451	09112020	22
Err4	1324	09112020	3
Err5	134155	09102020	21
Err6	3245	09102020	81
Err7	1234	09102020	2
Err8	4124	09092020	21
Err9	567	09092020	31
Err10	9873	09092020	45

It isn't clear whether your search includes a space between "-" and "FailedPolicy"

| sort 2 - FailedPolicy

The dedup command can select the first two events for each value of a given field.

index=xxx host=yy* source="*E:\\logfile\*" tag="*error*" "Error ==>*" 
| stats distinct_count(polnum) as FailedPolicy by error_message, err_code, cycledate 
| sort - FailedPolicy
| dedup 2 CycleDate

---
If this reply helps you, Karma would be appreciated.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide Staying ahead in the fast-paced ...