Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Search for 5 maximal values per field

omend
Path Finder
‎06-23-2013 11:59 PM

Hi All,

My data in Splunk contains information about sales from different store branches. More specifically, I have the data in the format - Date, Branch_ID, Sales (Number), that describes for each branch, its sales stats overview for each day (one number).

I would like to run a search that will calculate for each branch, the average of the top 5 best sales day, across the last month. More specifically, I would like to be able to reach results in the format Branch_ID Avg(Max(5)).

For example, if branch_id #1 has the values 0,100,50,100,25,200,75,0,150,25, I would like the query to output #1 (200+150+100+100+75)/5=125.

I tried the stats max, but it only takes the first max value. I tried to sort with limit count, but I couldn't apply the count for each branch.

Any ideas would be appreciated.

Thanks.
Ori.

Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎06-24-2013 02:11 AM

Assuming the last scenario, where each sale would be in a separate event;

... | sort - sales_field | dedup 5 branch_id | stats avg(sales_field) as "Avg Top5 Sales" by branch_id

This seems somewhat inefficient, but right now I can't think of anything better.

/K

View solution in original post

Reply
Solved! Jump to solution

omend
Path Finder
‎06-24-2013 02:30 AM

Each event specifies a single branch sales on a single day.

0 Karma
Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎06-24-2013 02:11 AM

Assuming the last scenario, where each sale would be in a separate event;

... | sort - sales_field | dedup 5 branch_id | stats avg(sales_field) as "Avg Top5 Sales" by branch_id

This seems somewhat inefficient, but right now I can't think of anything better.

/K

Reply
Solved! Jump to solution

omend
Path Finder
‎06-24-2013 02:31 AM

That worked like a charm.
Thank you very much!

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎06-24-2013 12:27 AM

Please post a few sample events. Also, describe how the sales values are extracted as fields (if they are);
- a single event per branch with separate fields, or
- a single event per branch with a multivalued field, or
- separate events with a single sales field in each.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...