Populating top 2 failed-policy counts for each cyc... - Splunk Community

Splunk Search

I am trying to write a search for getting the top two failed policy count for each cycledate. The below works for a single day but not for multiple cycledates.

index=xxx host=yy* source="*E:\\logfile\*" tag="*error*" "Error ==>*" | stats distinct_count(polnum) as FailedPolicy by error_message, err_code, cycledate | sort 2-FailedPolicy

Table without the sort 2 -FailedPolicy

error_ message	err_Code	CycleDate	FailedPolicy
Err1	20167	09112020	35
Err2	23461	09112020	12
Err3	23451	09112020	22
Err4	1324	09112020	3
Err5	134155	09102020	21
Err6	3245	09102020	81
Err7	1234	09102020	2
Err8	4124	09092020	21
Err9	567	09092020	31
Err10	9873	09092020	45

It isn't clear whether your search includes a space between "-" and "FailedPolicy"

| sort 2 - FailedPolicy

The dedup command can select the first two events for each value of a given field.

index=xxx host=yy* source="*E:\\logfile\*" tag="*error*" "Error ==>*" 
| stats distinct_count(polnum) as FailedPolicy by error_message, err_code, cycledate 
| sort - FailedPolicy
| dedup 2 CycleDate

---
If this reply helps you, Karma would be appreciated.

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open! conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor. HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members! The ...