Solved: Getting top values from two fields

kennethp · ‎12-23-2013

I have a index that contains both destination and source countries in each entry.
I would like to get a list over top 10 countries, regardless of the source or destination.

I have tried something like this:

... | top limit=10 srccountry,dstcountry

But this doesnt work, since it shows top based on both source and destination.

Something like this I was hoping would work, but clearly doesnt

... | top limit=10 srccountry OR dstcountry

I was thinking that I could add the results from two searches and addning them, but not sure how to do this.

Does anybody knows how to solve this? (if possible)

martin_mueller · ‎12-23-2013

You could do something like this:

your search | eval country = srccountry . ";" . dstcountry | makemv delim=";" country | mvexpand country | top country

That will make two events for each event, one with country=srccountry and one with country=dstcountry, and then count the top ten countries.

View solution in original post

martin_mueller · ‎12-23-2013

You could do something like this:

your search | eval country = srccountry . ";" . dstcountry | makemv delim=";" country | mvexpand country | top country

That will make two events for each event, one with country=srccountry and one with country=dstcountry, and then count the top ten countries.

Getting top values from two fields

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor