Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to find top 20 results and then do a subsequent search?

jackreeves
Explorer
‎06-21-2019 01:13 AM

I need to find out the Top 20 sites within my sourcetype and then from there be able to do further analysis on other fields such as Product.
Are there a non-destructive stats command I can use for this?

i.e.

sourcetype=site_data | stats count by "Site Name" | head 20

and then a subsequent search to find out of those twenty sites what is the top product logged?

Thanks,
Jack

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

spayneort
Contributor
‎06-21-2019 09:59 AM

You could use a subsearch:

sourcetype=site_data [|search sourcetype=site_data | top 20 "Site Name" | fields "Site Name"] <put the rest of your search here>

https://docs.splunk.com/Documentation/Splunk/7.3.0/Search/Usesubsearchtocorrelateevents

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-23-2019 06:33 PM

Like this:

index=YouShouldAlwaysSpecifyAnIndex sourcetype=site_data
[search index=YouShouldAlwaysSpecifyAnIndex sourcetype=site_data
| top limit=20 "Site Name" | table "Site Name" | format]
| top limit=1 Product BY "Site Name"
0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-23-2019 06:34 PM

P.S. field names with spaces are E*V*I*L!

0 Karma
Reply
Solved! Jump to solution
Solution

spayneort
Contributor
‎06-21-2019 09:59 AM

You could use a subsearch:

sourcetype=site_data [|search sourcetype=site_data | top 20 "Site Name" | fields "Site Name"] <put the rest of your search here>

https://docs.splunk.com/Documentation/Splunk/7.3.0/Search/Usesubsearchtocorrelateevents

Reply
Solved! Jump to solution

danielansell
Path Finder
‎06-21-2019 01:02 PM

To add on to this answer, the subsearch provided by spayneort effectively returns the top 20 "Site Name" values as 20 "OR" seperated field=value pairs.

To further understand it, Splunk performs the subsearch first then essentially modifies your search to be:
sourcetype=site_data "Site Name"=https://url1 OR "Site Name"=https://url2 OR "Site Name"=http://url2 OR ....

0 Karma
Reply
Solved! Jump to solution

jackreeves
Explorer
‎06-24-2019 12:39 AM

Thanks guys this has worked as expected! Knew there must be a simple solution.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...