Re: Top of field with multiple values

adri9valle · ‎03-08-2019

Hi,

I'm trying to do a simple search that returns the top repeated values of a field.

The problem is that this field has multiple values, then when a try to exec the search, it returns 0 results.

With another field with a single value, this problem doesn't happen.

For example, let's suppose that we have this two fields; level and groups the field level contents a unique value for example 7, but the groups field can content multiples values [foo,bar,cir...]

If execute ** query *| top level limit 5 * will return the top 5 levels but if execute ** query | top groups limit 5 ** does not return anything.

How can get the top of a field with multiple values?

Thanks

adri9valle · ‎03-11-2019

Hi @nickhillscpl and @harishalipaka,

Thanks for your help, but the solution was the below:

Instead of execute:

mysearch | top rules

The execution must be:

mysearch | top rules{}

Looks seem that {} is used for fields with several values.

nickhills · ‎03-08-2019

I think you mean that the 'group' field can contain comma separated lists of values?

If I have understood that bit correctly, try:

[your search]|makemv delim="," groups|top groups limit 5

If my comment helps, please give it a thumbs up!

Top of field with multiple values

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation