Splunk Search

Top to a sum by a field

cmerriman
Super Champion

I am trying to get top 10 channels (chanName) by brand (BRAND) based on the duration (durationPerRoom). I have durationPerRoom sorted descending, and if I could head 10 by brand, that would be great. I have tried to do a top function, but it just counts the channels, or counts the durations, etc. Any ideas?

| stats sum(OF_ROOMS__C) as numberOfRooms,sum(sumDuration) as sumDuration by chanName BRAND|eval durationPerRoom=sumDuration/numberOfRooms| sort by durationPerRoom desc

Tags (1)
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try adding following to your already existing search

|eval CountF=1|streamstats sum(CountF) as CountF by BRAND | where CountF <11

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Try adding following to your already existing search

|eval CountF=1|streamstats sum(CountF) as CountF by BRAND | where CountF <11

somesoni2
SplunkTrust
SplunkTrust

Added my comment as answer, so that you can close the question.

cmerriman
Super Champion

That worked PERFECTLY! Thank you!!!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try adding following to your already existing search

|eval CountF=1|streamstats sum(CountF) as CountF by BRAND | | where CountF <11

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...