In the below table, I was to search by field "Core Content" where "Core Content" should take top 2 highest value.
Core Content | Count | Status | Flag |
4268 | 2223 | N | Red |
4267 | 1794 | N | Yellow |
4266 | 305 | Y | Yellow |
4265 | 90 | Y | Red |
4268 | 19 | Y | Green |
4263 | 63 | N | Green |
4262 | 133 | Y | Red |
4261 | 34 | N | Red |
4260 | 26 | N | Yellow |
4768 |
The output I expect is,
Core Content | Count | Status | Flag |
4268 | 2223 | N | Red |
4267 | 1794 | N | Yellow |
4268 | 19 | Y | Green |
All other rows I have to take as Outdated.
Basically I want to run the below query
index=s_cnn sourcetype=S_network | fillnull value="00" Com | fillnull value="" | search Status="Reporting" Form!="VP" Form!="VI" | search Form="*" Group="*" Env="*" OS="*" Company="*" "Core Content"="4283.0" OR "Core Content"="4286.0" | sort "Core Content"
Instead of explicitly hardcoding the values for "Core Content", I want them to take the top 2 values of "Core Content"
Try this query. The main difference is the use of single quotes. In Splunk, double quotes denote a string while single quote denote a field name.
index=s_cnn sourcetype=S_network Status="Reporting" Form!="VP" Form!="VI" Form="*" Group="*" Env="*" OS="*" Company="*" ("Core Content"="4283.0" OR "Core Content"="4286.0")
| fillnull value="00" Com
| fillnull value=""
| sort 2 - 'Core Content'
Not working for me.
index=s_cnn sourcetype=S_network Status="Reporting" Form!="VP" Form!="VI" Form="*" Group="*" Env="*" OS="*" Company="*"
| fillnull value="00" Com
| fillnull value="" |timechart span=1d count("Core Content") by "Core Content"|sort 2 - "Core Content"
Its not sorting, I get the below output,
_time | 5276 | 5279 | 4280 | 4284 | 4285 | 5286 | 5287 | OTHER |
12/15/2020 | 26 | 20 | 26 | 91 | 28 | 1641 | 2681 | 149 |
12/16/2020 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
But I want to get as below,
_time | 5286 | 5287 |
12/15/2020 | 1641 | 2681 |
12/16/2020 | 0 | 0 |
@nivethainspire_, you can use below query,
| stats list(Count) as Count list(Status) as Status list(Flag) as Flag by "Core Content"
| sort 2 - "Core Content"
| eval lines=mvzip(Count,Status), lines=mvzip(lines,Flag)
| mvexpand lines
| rex field=lines "(?<Count>[^,]+),(?<Status>[^,]+),(?<Flag>.*)"
| fields - lines
| sort - Count
| addcoltotals Count
It didn't work because you used a different query. timechart is a transforming command so you no longer have a "Core Content" field on which to sort.
I don't know how to achieve the results you desire. Sorry.
Would you please clarify the requirements? How is the sample input transformed into the sample output?
The text says "top 2 highest" but the example shows 3 results.
When measuring "highest" which column is to be used? It is the raw values in that column or a sum based on some other field?
The Core Content has values ranging 4260 to 4268. I want show details of only top 2 Core Content that is 4268 and 4267. The core content updates often. Tomorrow it may take 4270.
So I want to query for a table where core content should search only top 2
Here's one way to do that.
your search
| sort 2 - Count