Splunk Search

Top to a sum by a field

cmerriman
Super Champion

I am trying to get top 10 channels (chanName) by brand (BRAND) based on the duration (durationPerRoom). I have durationPerRoom sorted descending, and if I could head 10 by brand, that would be great. I have tried to do a top function, but it just counts the channels, or counts the durations, etc. Any ideas?

| stats sum(OF_ROOMS__C) as numberOfRooms,sum(sumDuration) as sumDuration by chanName BRAND|eval durationPerRoom=sumDuration/numberOfRooms| sort by durationPerRoom desc

Tags (1)
1 Solution

somesoni2
Revered Legend

Try adding following to your already existing search

|eval CountF=1|streamstats sum(CountF) as CountF by BRAND | where CountF <11

View solution in original post

somesoni2
Revered Legend

Try adding following to your already existing search

|eval CountF=1|streamstats sum(CountF) as CountF by BRAND | where CountF <11

View solution in original post

somesoni2
Revered Legend

Added my comment as answer, so that you can close the question.

cmerriman
Super Champion

That worked PERFECTLY! Thank you!!!

0 Karma

somesoni2
Revered Legend

Try adding following to your already existing search

|eval CountF=1|streamstats sum(CountF) as CountF by BRAND | | where CountF <11