I need to create a new field to assign to the top results of a command using eval.
Obviously this syntax doesn't work, so I'm looking for the correct query:
source="tutorialdata.zip*" | eval popular = top limit=5 itemId | stats count(action) by popular, action
Basically I only need the action stats of the top 5 itemId results of the following:
Sorry for the n00b question; I am just getting started with Splunk. Thanks for your time!
... View more