- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm new to Splunk and I'm struggling to find a solution for the requirement I have.
Here is my requirement:
I have an Index where I get ID, IssueType, Severity, Quantity and another lookup table where I have ID, Manager, Sr Manager, Director.
So, I'm joining the index with lookup table on ID and doing the following query to get the Quantity for each Manager/Sr Manager/Director.
my search|Stats sum(Quantity) by ID,IssueType,Severity,Manager| sort -Quantity.
By doing this I'm getting the result for all Managers sorted in descending order. But I need to only get 5 highest values of Quantity for EACH manager.
Here is an example of result what I'm getting.
ID Manager Quantity
1 ABC 150
2 BDC 140
3 ABC 130
4 XYZ 120
5 ABC 110
6 BDC 100
7 XYZ 90
But, I want the result in following format.
ID Manager Quantity
1 ABC 150
2 ABC 130
3 ABC 110
4 BDC 140
5 BDC 110
6 XYZ 120
7 XYZ 90
Please let me know if we could do it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How about this
my search
| stats sum(Quantity) as Quantity by ID,IssueType,Severity,Manager
| sort +Manager -Quantity
| streamstats global=f count as rank by Manager
| WHERE rank <= 5
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you saved my day..Thanks a lot for quick response
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How about this
my search
| stats sum(Quantity) as Quantity by ID,IssueType,Severity,Manager
| sort +Manager -Quantity
| streamstats global=f count as rank by Manager
| WHERE rank <= 5
