Hi Derek
You could possibly use a regex pattern that would result in 2 mv fields - something like
... | rex field=origField "(?P<f1>\b[^-]+)\s-\s(?P<f2>\d+\.\d+)" max_match=10 | table origField f1 f2
... View more
Another solution my be something like
base search |
sort server, -value |
streamstats count as rank by server |
where rank < 3 |
table server counter value rank
I don't have sufficient data to run a meaningful comparison of the different methods, so don't know which is more performs better over a large dataset.
... View more