Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search for 5 maximal values per field

omend
Path Finder
‎06-23-2013 11:59 PM

Hi All,

My data in Splunk contains information about sales from different store branches. More specifically, I have the data in the format - Date, Branch_ID, Sales (Number), that describes for each branch, its sales stats overview for each day (one number).

I would like to run a search that will calculate for each branch, the average of the top 5 best sales day, across the last month. More specifically, I would like to be able to reach results in the format Branch_ID Avg(Max(5)).

For example, if branch_id #1 has the values 0,100,50,100,25,200,75,0,150,25, I would like the query to output #1 (200+150+100+100+75)/5=125.

I tried the stats max, but it only takes the first max value. I tried to sort with limit count, but I couldn't apply the count for each branch.

Any ideas would be appreciated.

Thanks.
Ori.

Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎06-24-2013 02:11 AM

Assuming the last scenario, where each sale would be in a separate event;

... | sort - sales_field | dedup 5 branch_id | stats avg(sales_field) as "Avg Top5 Sales" by branch_id

This seems somewhat inefficient, but right now I can't think of anything better.

/K

View solution in original post

Reply
Solved! Jump to solution

omend
Path Finder
‎06-24-2013 02:30 AM

Each event specifies a single branch sales on a single day.

0 Karma
Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎06-24-2013 02:11 AM

Assuming the last scenario, where each sale would be in a separate event;

... | sort - sales_field | dedup 5 branch_id | stats avg(sales_field) as "Avg Top5 Sales" by branch_id

This seems somewhat inefficient, but right now I can't think of anything better.

/K

Reply
Solved! Jump to solution

omend
Path Finder
‎06-24-2013 02:31 AM

That worked like a charm.
Thank you very much!

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎06-24-2013 12:27 AM

Please post a few sample events. Also, describe how the sales values are extracted as fields (if they are);
- a single event per branch with separate fields, or
- a single event per branch with a multivalued field, or
- separate events with a single sales field in each.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...