Solved: choose top string for a group

rcraiglynch · ‎07-08-2013

So, my data looks like this:

code message hash count
aaa  m1      53e  3
aaa  m2      53e  5
bbb  m3      54e  15
ccc  m4      77f  4
ccc  m5      77f  7

and I want to group by the hash (actually I could group by either the hash or the code), and choose any of the messages in the resulting bucket. Here is my desired output:

code message hash count
aaa  m1      53e  8
bbb  m3      54e  15
ccc  m4      77f  11

Note that I don't care in the first group whether m1 or m2 is displayed. Also, the messages are strings, not numerical data. Any ideas how I can achieve what I want?

linu1988 · ‎07-08-2013

will give you the result that you want. I dont know the result set how you are having but i tested with the sample you gave..

View solution in original post

linu1988 · ‎07-08-2013

will give you the result that you want. I dont know the result set how you are having but i tested with the sample you gave..

choose top string for a group

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?