Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Find X largest values of field by another field

bowesmana
SplunkTrust
SplunkTrust
‎11-07-2016 02:38 AM

I have a set of events that are racing results. One result/month for 10 months of the year. Points are awarded to runners for each race during the year. In order to find the annual winner, the monthly points are added and the winner is the person with the most points. Easy...

index="bbr" sourcetype="bbr*" source="BBR*csv" Event=10km Year=2015 
| stats sum(Points) as Total count as Runs count(eval(Place==1)) as Wins by Name, Gender 
| sort - Total

However, the catch is that only the top 8 races for a runner count to the total, so if the runner runs 9 or 10 runs, then the lowest two points are not counted, so the sum(Points) above can't be used.

I tried to do a sort by points for all runners and the idea was to then take only the first 8 records of each Name field, but I can't make this work.

Any idea how to do this?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
Super Champion
‎11-07-2016 03:13 AM

You could try something like this by using streamstats:

index="bbr" sourcetype="bbr*" source="BBR*csv" Event=10km Year=2015
| sort limit=0 Name, Gender, - Points
| streamstats count as id by Name, Gender, Points
| where id <= 8
| stats sum(Points) as Total count as Runs count(eval(Place==1)) as Wins by Name, Gender 
| sort - Total

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

javiergn
Super Champion
‎11-07-2016 03:13 AM

You could try something like this by using streamstats:

index="bbr" sourcetype="bbr*" source="BBR*csv" Event=10km Year=2015
| sort limit=0 Name, Gender, - Points
| streamstats count as id by Name, Gender, Points
| where id <= 8
| stats sum(Points) as Total count as Runs count(eval(Place==1)) as Wins by Name, Gender 
| sort - Total
0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎11-07-2016 08:10 PM

Thanks javiergn, that almost worked, the key change needed was to the initial streamstats as it didn't need to group by Gender or Points as id would count the number of different points values, hence never get to 8.

In order to keep the total Runs and Wins correct in case they had 9 or 10, I put an eventstats in before the where clause, so it made the final search

index="bbr" sourcetype="bbr*" source="BBR*csv" Event=10km Year=2015
| eventstats count as Runs count(eval(Place==1)) as Wins by Name
| sort limit=0 Name, Gender, - Points
| streamstats count as id by Name
| where id <= 8
| stats sum(Points) as Total values(Runs) as Runs values(Wins) as Wins by Name, Gender 
| sort - Total

Cheers

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...