I have the below search_1
My search |top 5 users
I have a second search as below
My search |stats values(field_1) as field_1 values(field_2) as field_2 by users
Now how can I combine these two searches and display a result in tabular chart which contains field_1 and field_2 values of the top 5 users only?
Why not just calculate the top users in your stats command by adding a count since that is what top is doing and then only grab the top 5 from the stats results after you sort it ?
... |stats values(field_1) as field_1 values(field_2) as field_2 count by users | sort - count | head 5
Use a sub search to collect the top 5 users:
[search My search | top 5 users | fields users] My search |
stats values(field_1) as field_1 values(field_2) as field_2 by users
The results from that sub search are OR'd together, something like this:
(users=ABC OR users=DEF OR users=GHI OR users=JKL OR users=MNO) My search ...
Why not just calculate the top users in your stats command by adding a count since that is what top is doing and then only grab the top 5 from the stats results after you sort it ?
... |stats values(field_1) as field_1 values(field_2) as field_2 count by users | sort - count | head 5
My search |top 5 users|join users [search My search |stats values(field_1) as field_1 values(field_2) as field_2 by users]
it probably isn't the most efficient way but it should work.