Solved: Re: choose top string for a group - Splunk Community

Splunk Search

So, my data looks like this:

code message hash count
aaa  m1      53e  3
aaa  m2      53e  5
bbb  m3      54e  15
ccc  m4      77f  4
ccc  m5      77f  7

and I want to group by the hash (actually I could group by either the hash or the code), and choose any of the messages in the resulting bucket. Here is my desired output:

code message hash count
aaa  m1      53e  8
bbb  m3      54e  15
ccc  m4      77f  11

Note that I don't care in the first group whether m1 or m2 is displayed. Also, the messages are strings, not numerical data. Any ideas how I can achieve what I want?

1 Solution

Solution

will give you the result that you want. I dont know the result set how you are having but i tested with the sample you gave..

index=main sourcetype=xxx|multikv fields code,hash,count|stats sum(count) as total_count by code,hash|join code [search index=main sourcetype=xxx|multikv fields code,message|fields code,message]|table code,,message,hash,total_count

View solution in original post

Solution

will give you the result that you want. I dont know the result set how you are having but i tested with the sample you gave..

index=main sourcetype=xxx|multikv fields code,hash,count|stats sum(count) as total_count by code,hash|join code [search index=main sourcetype=xxx|multikv fields code,message|fields code,message]|table code,,message,hash,total_count

Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members! The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...