Splunk Search

How to get only first 3 events as a result for each event/Field?

thezero
Path Finder

I am attempting to get first 3 events for each user field for which user count>3.

Basically what I am looking for is

1)Get stats count for user field out of all data

2)Identify events for which user count>3

3)Get only top 3 users out of all data for - user count>3

4)and final result which display only first 3 events for each user

for below query I am getting user count and top 3 users with max count.

index=windows | stats count by user | sort - count | head 3 |where count>3

result:

User count

User1 8
user2 4
user3 6

I want final result as 9 events---->containing first 3 events for each user.

Could you please advice?

jitsinha
Path Finder

try | head 3 after your search query

0 Karma

thezero
Path Finder

H Gkanapathy,

Thanks for the asnswer but its still showing only 3 results 😞

Regards,
Rahul

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Ah I see you've modified your question. Then perhaps:

index=windows [ search index=windows | top limit=3 showperc=f user | where count > 3 ] | eventstats count by user | dedup 3 user sortby - count

0 Karma

Jeff_Lightly_Sp
Communicator

Does this get close to what you need? i just used 'eventtype' as an example.

index=windows | stats count by user,eventtype | sort - user,eventtype | where count > 3 | top limit=3 eventtype by user

0 Karma

davebrooking
Contributor

I think the streamstats command is what you may need to use to rank the events - take a look at this answer, I believe it should point you in the right direction

Dave

0 Karma

gkanapathy
Splunk Employee
Splunk Employee
index=windows | top limit=3 user | where count > 3
0 Karma

0YAoNnmRmKDg
Path Finder

try this

index=windows | stats count by user | where count>3 | top 3

otherwise try expanding your question a bit - its a little hard to follow...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...