Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Find X largest values of field by another field

bowesmana
SplunkTrust
SplunkTrust
‎11-07-2016 02:38 AM

I have a set of events that are racing results. One result/month for 10 months of the year. Points are awarded to runners for each race during the year. In order to find the annual winner, the monthly points are added and the winner is the person with the most points. Easy...

index="bbr" sourcetype="bbr*" source="BBR*csv" Event=10km Year=2015 
| stats sum(Points) as Total count as Runs count(eval(Place==1)) as Wins by Name, Gender 
| sort - Total

However, the catch is that only the top 8 races for a runner count to the total, so if the runner runs 9 or 10 runs, then the lowest two points are not counted, so the sum(Points) above can't be used.

I tried to do a sort by points for all runners and the idea was to then take only the first 8 records of each Name field, but I can't make this work.

Any idea how to do this?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
Super Champion
‎11-07-2016 03:13 AM

You could try something like this by using streamstats:

index="bbr" sourcetype="bbr*" source="BBR*csv" Event=10km Year=2015
| sort limit=0 Name, Gender, - Points
| streamstats count as id by Name, Gender, Points
| where id <= 8
| stats sum(Points) as Total count as Runs count(eval(Place==1)) as Wins by Name, Gender 
| sort - Total

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

javiergn
Super Champion
‎11-07-2016 03:13 AM

You could try something like this by using streamstats:

index="bbr" sourcetype="bbr*" source="BBR*csv" Event=10km Year=2015
| sort limit=0 Name, Gender, - Points
| streamstats count as id by Name, Gender, Points
| where id <= 8
| stats sum(Points) as Total count as Runs count(eval(Place==1)) as Wins by Name, Gender 
| sort - Total
0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎11-07-2016 08:10 PM

Thanks javiergn, that almost worked, the key change needed was to the initial streamstats as it didn't need to group by Gender or Points as id would count the number of different points values, hence never get to 8.

In order to keep the total Runs and Wins correct in case they had 9 or 10, I put an eventstats in before the where clause, so it made the final search

index="bbr" sourcetype="bbr*" source="BBR*csv" Event=10km Year=2015
| eventstats count as Runs count(eval(Place==1)) as Wins by Name
| sort limit=0 Name, Gender, - Points
| streamstats count as id by Name
| where id <= 8
| stats sum(Points) as Total values(Runs) as Runs values(Wins) as Wins by Name, Gender 
| sort - Total

Cheers

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...