Re: top N results of values(X)

atanasmitev · ‎07-30-2014

Hello,
I have a column list received from "values(mymail)"

abra@sth.com
cada@sth.com
bra@sth.com
this@sth.com
is@sth.com
anew@sth.com

I need to get top/head N results of that list with the idea that values(mymail) can reach thousands of rows.

The whole search string related to the question is :

$SEARCH | stats count dc(mymail) as unique count(mymail) as hits values(mymail) as list by VAR

How do I do that ? 🙂

I tried with eval
just before |stats like eval email_list=(values(mymail)|head 10 ), but it seems not right

Runals · ‎07-31-2014

You could maybe use the following to break out the individual items in the list field but am having trouble imagining what the rest of your stats command output is - haven't had enough caffeine yet I suppose.

| makemv list | mvexpand list

At any rate you would then need another stats (+ sort & head) or top command to then get your top X.

somesoni2 · ‎07-30-2014

Try something like this

$SEARCH | stats count dc(mymail) as unique count(mymail) as hits values(mymail) as list by VAR 
| eval sno=mvrange(0,10,1) | eval list=mvzip(list,sno,",") |nomv list| eval list=replace(list,"(,\d+)"," ") | makemv list

The no '10' in the mvrange command denotes you will be returned first 10 values from the multivalued field 'list'

top N results of values(X)

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users