Populating top 2 failed-policy counts for each cyc... - Splunk Community

Splunk Search

I am trying to write a search for getting the top two failed policy count for each cycledate. The below works for a single day but not for multiple cycledates.

index=xxx host=yy* source="*E:\\logfile\*" tag="*error*" "Error ==>*" | stats distinct_count(polnum) as FailedPolicy by error_message, err_code, cycledate | sort 2-FailedPolicy

Table without the sort 2 -FailedPolicy

error_ message	err_Code	CycleDate	FailedPolicy
Err1	20167	09112020	35
Err2	23461	09112020	12
Err3	23451	09112020	22
Err4	1324	09112020	3
Err5	134155	09102020	21
Err6	3245	09102020	81
Err7	1234	09102020	2
Err8	4124	09092020	21
Err9	567	09092020	31
Err10	9873	09092020	45

It isn't clear whether your search includes a space between "-" and "FailedPolicy"

| sort 2 - FailedPolicy

The dedup command can select the first two events for each value of a given field.

index=xxx host=yy* source="*E:\\logfile\*" tag="*error*" "Error ==>*" 
| stats distinct_count(polnum) as FailedPolicy by error_message, err_code, cycledate 
| sort - FailedPolicy
| dedup 2 CycleDate

---
If this reply helps you, Karma would be appreciated.

Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious! We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community, What’s the best part of hearing how our customers use Splunk? Easy: the positive ...