Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- sort based on 2 values
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
snam
New Member
01-27-2017
06:50 AM
Hi,
I'm new to Splunk and I'm struggling to find a solution for the requirement I have.
Here is my requirement:
I have an Index where I get ID, IssueType, Severity, Quantity and another lookup table where I have ID, Manager, Sr Manager, Director.
So, I'm joining the index with lookup table on ID and doing the following query to get the Quantity for each Manager/Sr Manager/Director.
my search|Stats sum(Quantity) by ID,IssueType,Severity,Manager| sort -Quantity.
By doing this I'm getting the result for all Managers sorted in descending order. But I need to only get 5 highest values of Quantity for EACH manager.
Here is an example of result what I'm getting.
ID Manager Quantity
1 ABC 150
2 BDC 140
3 ABC 130
4 XYZ 120
5 ABC 110
6 BDC 100
7 XYZ 90
But, I want the result in following format.
ID Manager Quantity
1 ABC 150
2 ABC 130
3 ABC 110
4 BDC 140
5 BDC 110
6 XYZ 120
7 XYZ 90
Please let me know if we could do it.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rjthibod
Champion
01-27-2017
07:13 AM
How about this
my search
| stats sum(Quantity) as Quantity by ID,IssueType,Severity,Manager
| sort +Manager -Quantity
| streamstats global=f count as rank by Manager
| WHERE rank <= 5
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
snam
New Member
01-27-2017
08:30 AM
you saved my day..Thanks a lot for quick response
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rjthibod
Champion
01-27-2017
07:13 AM
How about this
my search
| stats sum(Quantity) as Quantity by ID,IssueType,Severity,Manager
| sort +Manager -Quantity
| streamstats global=f count as rank by Manager
| WHERE rank <= 5
Get Updates on the Splunk Community!
What’s New in Splunk Observability Cloud – June 2025
What’s New in Splunk Observability Cloud – June 2025 We are excited to announce the latest enhancements to ...
Almost Too Eventful Assurance: Part 2
Work While You SleepBefore you can rely on any autonomous remediation measures, you need to close the loop ...
Leveraging Detections from the Splunk Threat Research Team & Cisco Talos
Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research Team (STRT) and ...
