Splunk Search
Highlighted

choose top string for a group

Engager

So, my data looks like this:

code message hash count
aaa  m1      53e  3
aaa  m2      53e  5
bbb  m3      54e  15
ccc  m4      77f  4
ccc  m5      77f  7

and I want to group by the hash (actually I could group by either the hash or the code), and choose any of the messages in the resulting bucket. Here is my desired output:

code message hash count
aaa  m1      53e  8
bbb  m3      54e  15
ccc  m4      77f  11

Note that I don't care in the first group whether m1 or m2 is displayed. Also, the messages are strings, not numerical data. Any ideas how I can achieve what I want?

Tags (2)
0 Karma
Highlighted

Re: choose top string for a group

Champion

will give you the result that you want. I dont know the result set how you are having but i tested with the sample you gave..

index=main sourcetype=xxx|multikv fields code,hash,count|stats sum(count) as totalcount by code,hash|join code [search index=main sourcetype=xxx|multikv fields code,message|fields code,message]|table code,,message,hash,totalcount

View solution in original post