Solved: How to edit my search to display the highest count...

dfenko · ‎02-15-2017

I have a data set that gives me an entry for each time a company runs a report in my system. I can easily put together a report that gives me a count of the reports by the company.

search * | stats count by company_name, report_name

Which returns the result:

Company Name    Report Name count
Company A      Report 1    1919
Company A      Report 2    643
Company A      Report 5    454
Company B      Report 3    400
Company D      Report 3    391
Company A      Report 6    336
Company C      Report 1    269
Company A      Report 3    266
Company B      Report 1    229
Company A      Report 10      176

What I'd actually like to do is to get a report that has one entry per company and returns the report with the highest count by the company, much like:

Company Name    Report Name count
Company A      Report 1    1919
Company B      Report 3    400
Company C      Report 1    269
Company D      Report 3    391

jkat54 · ‎02-15-2017

search * | top 1 report_name by company_name | fields - percent

View solution in original post

jkat54 · ‎02-15-2017

search * | top 1 report_name by company_name | fields - percent

jkat54 · ‎02-15-2017

Omg thank you for giving me 2 points!!! I've been 2 points shy forever because I gave someone else 2 points ;-). I Seriously appreciate it

How to edit my search to display the highest count per company?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms