how to find third largest salary from a salary fie...

Tamilraj28 · ‎07-19-2019

Please help me in Finding the 3rd or nth largest value from a field...

SALARY

10000
30000
20000
80000
60000
93000
55000

we need to get 3rd largest as 60000

Please give the spl and help me

Vijeta · ‎07-19-2019

Try this-

<your search>| sort -SALARY | streamstats count as rank  by SALARY| where rank=3

vnravikumar · ‎07-19-2019

Hi

Try this

| makeresults
| eval SALARY = "10000,30000,20000,80000,60000,93000,55000,500" 
| makemv delim="," SALARY 
| mvexpand SALARY 
| stats count by SALARY 
| sort -SALARY 
| mvcombine SALARY 
| eval SALARY =mvindex(SALARY,2) 
| table SALARY

adonio · ‎07-19-2019

there are other ways to do this, but in the meantime, try this:

| makeresults count=1
| eval SALARY = "10000,30000,20000,80000,60000,93000,55000"
| makemv delim="," SALARY
| mvexpand SALARY
| rename COMMENT as "the above generates data below is the solution" 
| sort -SALARY
| streamstats count as rec_number
| where rec_number = 3

hope it helps

how to find third largest salary from a salary field

Reduce and Transform Your Firewall Data with Splunk Data Management

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Are you a member of the Splunk Community?

how to find third largest salary from a salary field

Reduce and Transform Your Firewall Data with Splunk Data Management

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions