how to show other field related to filtered out re...

loocayak · ‎12-03-2020

Hi there,

I am not sure if I am missing out the obvious but I would pretty much like to be able to run stats count of a certain field and get highest10 results of that field and then be able to see other data specifically related to that 10 results.

To be more specific, I would like to see a list of fieldA by count and with highest value something similar to this
index=mysearch | stats count by fieldA | sort count - | head 10
but I would als like to be able to see fieldB values that are related to those ten results however if I run
index=mysearch | stats count by fieldA,fieldB | sort count - | head 10 then the results for the FieldA are not the same as in the previous query

Just to sum it up, I would like to see the fieldB values that are related to the head 10 results of fieldA but I am not interested in seeing the stats count of both fieldA and fieldB together.

I really hope this makes sense.

Thank you in advance for your help!

richgalloway · ‎12-03-2020

First, the counts from the two searches are different because the criteria are different.

stats count by fieldA,fieldB

Does not mean "give me counts for fieldA and fieldB". It means "give me counts for all combinations of fieldA and fieldB".

Second, stats is a transforming command. That means it changes the results, specifically by dropping all fields not referenced in the command. That's why you don't see the other data related to the 10 results. Fix that by using either eventstats or streamstats.

---
If this reply helps you, Karma would be appreciated.

how to show other field related to filtered out results with stats count in one query

stats

table

Index This | What’s a riddle wrapped in an enigma?

BORE at .conf25

OpenTelemetry for Legacy Apps? Yes, You Can!

Are you a member of the Splunk Community?