Turn on suggestions

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results forย

Splunk Search

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results forย

- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Top 10 values for each field value

- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

matansocher

Contributor

โ11-12-2017
01:41 AM

Hi,

I have a data that contains the field 'regression*target'. I want to get the top 10 rows by 'regression*tests' field.

for example, if I have 4 values of 'regression*target' field, I would like to get 40 rows in my new table. 10 rows for the first value of 'regression*target', which they are the top 10 of the field 'regression_tests'.

Let me know if I am not clear enough.

Thanks

1 Solution

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

niketnilay

SplunkTrust

โ11-12-2017
05:29 AM

@matansocher, following is a run anywhere example which generates a mock series of 8 value per regression*target. sort and retains unique regression*test values using `values()`

statistical function. It then counts the values per series using `streamstats`

after reversing the series (or sort descending). Finally filters top 3 values for each series using `where`

condition.

PS: Commands until `| table`

generate mock data as per question. You can hook in your base search instead. Also change where `counter<=3`

with `10`

as per your use case.

```
| makeresults
| eval data="bbb|770;ccc|870;bbb|970;ccc|780;aaa|780;bbb|670;ccc|950;aaa|320;bbb|230;ccc|345;aaa|500;bbb|200;ccc|600;aaa|200;bbb|150;ccc|300;aaa|800;bbb|600;aaa|400;ccc|900;bbb|200;aaa|300;ccc|400;aaa|900;bbb|800;ccc|600"
| makemv data delim=";"
| mvexpand data
| eval data=split(data,"|")
| eval regression_target=mvindex(data,0)
| eval regression_tests=mvindex(data,1)
| table regression_target regression_tests
| stats values(regression_tests) as regression_tests by regression_target
| mvexpand regression_tests
| reverse
| streamstats count as counter by regression_target
| where counter<=3
```

____________________________________________

| makeresults | eval message= "Happy Splunking!!!"

| makeresults | eval message= "Happy Splunking!!!"

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

niketnilay

SplunkTrust

โ11-12-2017
05:29 AM

@matansocher, following is a run anywhere example which generates a mock series of 8 value per regression*target. sort and retains unique regression*test values using `values()`

statistical function. It then counts the values per series using `streamstats`

after reversing the series (or sort descending). Finally filters top 3 values for each series using `where`

condition.

PS: Commands until `| table`

generate mock data as per question. You can hook in your base search instead. Also change where `counter<=3`

with `10`

as per your use case.

```
| makeresults
| eval data="bbb|770;ccc|870;bbb|970;ccc|780;aaa|780;bbb|670;ccc|950;aaa|320;bbb|230;ccc|345;aaa|500;bbb|200;ccc|600;aaa|200;bbb|150;ccc|300;aaa|800;bbb|600;aaa|400;ccc|900;bbb|200;aaa|300;ccc|400;aaa|900;bbb|800;ccc|600"
| makemv data delim=";"
| mvexpand data
| eval data=split(data,"|")
| eval regression_target=mvindex(data,0)
| eval regression_tests=mvindex(data,1)
| table regression_target regression_tests
| stats values(regression_tests) as regression_tests by regression_target
| mvexpand regression_tests
| reverse
| streamstats count as counter by regression_target
| where counter<=3
```

____________________________________________

| makeresults | eval message= "Happy Splunking!!!"

| makeresults | eval message= "Happy Splunking!!!"

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

matansocher

Contributor

โ11-12-2017
02:04 AM

Hi Giuseppe, thanks for your reply.

I am not sure you fully understood me.

let say that is the table from my index

```
regression_target|regression_tests
aaa|500
bbb|200
aaa|700
ccc|600
```

and many more rows...

I need to get the top 10 rows (by the 'regression*tests' field) for each value of 'regression*target' field.

for example, if I have 3 values of 'regression_target' field, I would like to get 30 rows in my new table.

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

gcusello

Legend

โ11-12-2017
01:51 AM

Hi matansocher,

I hope to correctly understand: if you have data in two different indexes, try something like this:

```
index=my_index1 [seach index=my_index2 | dedup regression_target | rename regression_target AS regression_tests| fields regression_tests ]
| top count BY regression_tests
```

If you ave data in the same index use it in both the searches.

Bye.

Giuseppe