Re: Populating top 2 failed-policy counts for each... - Splunk Community

Splunk Search

I am trying to write a search for getting the top two failed policy count for each cycledate. The below works for a single day but not for multiple cycledates.

index=xxx host=yy* source="*E:\\logfile\*" tag="*error*" "Error ==>*" | stats distinct_count(polnum) as FailedPolicy by error_message, err_code, cycledate | sort 2-FailedPolicy

Table without the sort 2 -FailedPolicy

error_ message	err_Code	CycleDate	FailedPolicy
Err1	20167	09112020	35
Err2	23461	09112020	12
Err3	23451	09112020	22
Err4	1324	09112020	3
Err5	134155	09102020	21
Err6	3245	09102020	81
Err7	1234	09102020	2
Err8	4124	09092020	21
Err9	567	09092020	31
Err10	9873	09092020	45

It isn't clear whether your search includes a space between "-" and "FailedPolicy"

| sort 2 - FailedPolicy

The dedup command can select the first two events for each value of a given field.

index=xxx host=yy* source="*E:\\logfile\*" tag="*error*" "Error ==>*" 
| stats distinct_count(polnum) as FailedPolicy by error_message, err_code, cycledate 
| sort - FailedPolicy
| dedup 2 CycleDate

---
If this reply helps you, Karma would be appreciated.

Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now! In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...