Splunk Search

Top 10 of a top 10

BigShak
Explorer

Hello there,

I want to make a top 10 of applications based on top 10 of categories.

Here is an example:

CategoryNb of alert / categoryApplicationNb of alert (by app for this category)
Cat18000App11000
 8000App2100
 8000App310
Cat25000App110000
 5000App2688
Cat3300App44560

So I know how to get the top 10 categories but from that I don't know how to get the top 10 applications for each category found previously.

Here is what i've done so far:  (note that the 2nd column in my example doesn't exist in my query, it's just to make the example clearer)

 

 

 

index=my_index action=block [search index=my_index action=block | top category | table category] | stats count by category, app | stats values(app) AS apps, values(count) AS total by category

 

 

 

It gives me the 10 categories but they are sorted by alphabetic order instead of by number of block action and I have more than 10 applications on the second column, not sorted.

Does anyone has a solution for that? It'd be lovely.

Thanks in advance.

Labels (3)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
index=my_index action=block [search index=my_index action=block | top category | table category] 
| stats count by category, app
| sort 0 category -count
| streamstats count as rank by category
| where rank < 11
| eventstats sum(count) as total by category
| sort 0 -total category -count

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

index=my_index action=block [search index=my_index action=block | top category | table category] 
| stats count by category, app
| sort 0 category -count
| streamstats count as rank by category
| where rank < 11

BigShak
Explorer

Hi ITWhisperer,

Many thanks for you answer! It is working almost as I expected. The apps are properly sorted for each category and limited to 10, great! However, I still have the issue with the categories... they are ordered in alphabetical order, do you have an idea?

Thanks.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
index=my_index action=block [search index=my_index action=block | top category | table category] 
| stats count by category, app
| sort 0 category -count
| streamstats count as rank by category
| where rank < 11
| eventstats sum(count) as total by category
| sort 0 -total category -count
0 Karma

BigShak
Explorer

Many thanks, have a great day 🙂

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...