Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to show other field related to filtered out results with stats count in one query

loocayak
Observer
‎12-03-2020 12:16 PM

Hi there, 

I am not sure if I am missing out the obvious but I would pretty much like to be able to run stats count of a certain field and get highest10 results of that field and then be able to see other data specifically related to that 10 results. 

To be more specific, I would like to see a list of fieldA by count and with highest value something similar to this
index=mysearch | stats count by fieldA | sort count - | head 10 
but I would als like to be able to see fieldB values that are related to those ten results however if I run 
index=mysearch | stats count by fieldA,fieldB | sort count - | head 10 then the results for the FieldA are not the same as in the previous query

Just to sum it up, I would like to see the fieldB values that are related to the head 10 results of fieldA but I am not interested in seeing the stats count of both fieldA and fieldB together. 

I really hope this makes sense. 

Thank you in advance for your help!

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-03-2020 01:41 PM

First, the counts from the two searches are different because the criteria are different.

stats count by fieldA,fieldB

Does not mean "give me counts for fieldA and fieldB".  It means "give me counts for all combinations of fieldA and fieldB".

Second, stats is a transforming command.  That means it changes the results, specifically by dropping all fields not referenced in the command.  That's why you don't see the other data related to the 10 results.  Fix that by using either eventstats or streamstats.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...