Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- sort based on 2 values
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
snam
New Member
01-27-2017
06:50 AM
Hi,
I'm new to Splunk and I'm struggling to find a solution for the requirement I have.
Here is my requirement:
I have an Index where I get ID, IssueType, Severity, Quantity and another lookup table where I have ID, Manager, Sr Manager, Director.
So, I'm joining the index with lookup table on ID and doing the following query to get the Quantity for each Manager/Sr Manager/Director.
my search|Stats sum(Quantity) by ID,IssueType,Severity,Manager| sort -Quantity.
By doing this I'm getting the result for all Managers sorted in descending order. But I need to only get 5 highest values of Quantity for EACH manager.
Here is an example of result what I'm getting.
ID Manager Quantity
1 ABC 150
2 BDC 140
3 ABC 130
4 XYZ 120
5 ABC 110
6 BDC 100
7 XYZ 90
But, I want the result in following format.
ID Manager Quantity
1 ABC 150
2 ABC 130
3 ABC 110
4 BDC 140
5 BDC 110
6 XYZ 120
7 XYZ 90
Please let me know if we could do it.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rjthibod
Champion
01-27-2017
07:13 AM
How about this
my search
| stats sum(Quantity) as Quantity by ID,IssueType,Severity,Manager
| sort +Manager -Quantity
| streamstats global=f count as rank by Manager
| WHERE rank <= 5
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
snam
New Member
01-27-2017
08:30 AM
you saved my day..Thanks a lot for quick response
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rjthibod
Champion
01-27-2017
07:13 AM
How about this
my search
| stats sum(Quantity) as Quantity by ID,IssueType,Severity,Manager
| sort +Manager -Quantity
| streamstats global=f count as rank by Manager
| WHERE rank <= 5
Get Updates on the Splunk Community!
Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...
This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...
Elevate Your Organization with Splunk’s Next Platform Evolution
Thursday, July 10, 2025 | 11AM PDT / 2PM EDT
Whether you're managing complex deployments or looking to ...
Splunk Answers Content Calendar, June Edition
Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
