Solved: Re: sort based on 2 values

snam · ‎01-27-2017

Hi,
I'm new to Splunk and I'm struggling to find a solution for the requirement I have.

Here is my requirement:
I have an Index where I get ID, IssueType, Severity, Quantity and another lookup table where I have ID, Manager, Sr Manager, Director.
So, I'm joining the index with lookup table on ID and doing the following query to get the Quantity for each Manager/Sr Manager/Director.

my search|Stats sum(Quantity) by ID,IssueType,Severity,Manager| sort -Quantity.

By doing this I'm getting the result for all Managers sorted in descending order. But I need to only get 5 highest values of Quantity for EACH manager.
Here is an example of result what I'm getting.

ID Manager Quantity
1 ABC 150
2 BDC 140
3 ABC 130
4 XYZ 120
5 ABC 110
6 BDC 100
7 XYZ 90

But, I want the result in following format.

ID Manager Quantity
1 ABC 150
2 ABC 130
3 ABC 110
4 BDC 140
5 BDC 110
6 XYZ 120
7 XYZ 90

Please let me know if we could do it.

rjthibod · ‎01-27-2017

How about this

 my search
| stats sum(Quantity) as Quantity by ID,IssueType,Severity,Manager
| sort +Manager -Quantity
| streamstats global=f count as rank by Manager
| WHERE rank <= 5

View solution in original post

snam · ‎01-27-2017

you saved my day..Thanks a lot for quick response

rjthibod · ‎01-27-2017

How about this

 my search
| stats sum(Quantity) as Quantity by ID,IssueType,Severity,Manager
| sort +Manager -Quantity
| streamstats global=f count as rank by Manager
| WHERE rank <= 5

sort based on 2 values

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...