Splunk Search

How to combine two searches and display as a single table?

pavanae
Builder

I have the below search_1

My search |top 5 users

I have a second search as below

My search |stats values(field_1) as field_1 values(field_2) as field_2 by users

Now how can I combine these two searches and display a result in tabular chart which contains field_1 and field_2 values of the top 5 users only?

0 Karma
1 Solution

MattZerfas
Communicator

Why not just calculate the top users in your stats command by adding a count since that is what top is doing and then only grab the top 5 from the stats results after you sort it ?

... |stats values(field_1) as field_1 values(field_2) as field_2 count by users | sort - count | head 5

View solution in original post

0 Karma

twinspop
Influencer

Use a sub search to collect the top 5 users:

[search My search | top 5 users | fields users] My search |
stats values(field_1) as field_1 values(field_2) as field_2 by users

The results from that sub search are OR'd together, something like this:

(users=ABC OR users=DEF OR users=GHI OR users=JKL OR users=MNO) My search ...
0 Karma

MattZerfas
Communicator

Why not just calculate the top users in your stats command by adding a count since that is what top is doing and then only grab the top 5 from the stats results after you sort it ?

... |stats values(field_1) as field_1 values(field_2) as field_2 count by users | sort - count | head 5
0 Karma

cmerriman
Super Champion
My search |top 5 users|join users [search My search |stats values(field_1) as field_1 values(field_2) as field_2 by users]

it probably isn't the most efficient way but it should work.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...