Solved: How to get top values

xvxt006 · ‎02-19-2014

Hi, i have a report where i show top 50 404s by uri as shown below. Now i want to get the top referer for each URI in the same report. is it possible?

URI COUNT %

XXX 50 50%
YYY 25 25%
ZZZ 25 25%

output should have
URI COUNT % Referer Referercount REferer%
XXX 50 50%
YYY 25 25%
ZZZ 25 25%

thslopes · ‎02-19-2014

yoursearch | top uri | join uri [search yoursearch | top uri referrer | eval referer_count=count | eval referer_percent=percent] | table uri count percent referrer referer_count referer_percent

View solution in original post

martin_mueller · ‎02-19-2014

Here's an approach to keep things within one search:

your search yielding 404 events | stats c by uri referer | eventstats max(c) as max sum(c) as count by uri | where max==c | fields - max c

You may want to sort, calculate percentages, and cut after the first n results afterwards to look similar to top.
Note: This does not handle cases where the top referers for one uri have equal counts. If that's important for you you can insert a ... | streamstats count as number by uri referer | where number==1 | fields - number at the end.

thslopes · ‎02-19-2014

yoursearch | top uri | join uri [search yoursearch | top uri referrer | eval referer_count=count | eval referer_percent=percent] | table uri count percent referrer referer_count referer_percent

xvxt006 · ‎02-19-2014

Thank you all for your inputs

lukejadamec · ‎02-19-2014

You can try:

|top limit=50 uri |append [yoursearch |top top limit=50 referer by uri]

I've not tried this, but in theory it should work.

lukejadamec · ‎02-19-2014

Right, you want to maintain the numbers for both. I updated the answer.

xvxt006 · ‎02-19-2014

that will give me top referers but i want to get top uris for 404s and then for those uris i need top referers

How to get top values

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!