The first appendpipe is where we take that raw data and use top to gather the list of the top 20 categories and their counts, we label these as stats="a", and add them to the set of results. (In my test environment using numbers for each of these fields and 86,400 random events in a very dense search, the difference was a search time of ~3 seconds having table here and ~28 seconds without). The table command is indeed necessary, as we are going to be duplicating results quite a bit and do not want to carry the baggage of unnecessary fields beyond this point. The first line is of course to gather the data that we're reporting on, from your search, and label it as raw data (stats="f"). | where stats="a" | fields - stats | sort - count | foreach * | where stats!="f" | stats first(*) as * by category | rename count as url_count referrer_url as url | top limit=3 showperc=f referrer_url by category | rename count as pid_count product_id as pid | top limit=3 showperc=f product_id by category | stats list(*) as * by category | foreach * | rename count as subcat_count subcategory as subcat | top limit=3 showperc=f subcategory by category I'm going to start with my solution, and then explain things: | table category subcategory product_id referrer_url | eval stats="f" So 20 categories, then for each the top 3 for each column, with its count. The expected output would be something like this: That's close, but I want SubCat, PID and URL sorted and counted ( top would do it, but seems cannot be inserted into a stats search) |eval SubCat=mvindex(SubCat, 0, 2) | eval PID=mvindex(PID, 0, 2)| eval URL=mvindex(URL, 0, 2) | stats count(category) AS Count list(subcategory) AS SubCat list(product_id) as PID list(referrer_url) as URL by category | table category subcategory product_id referrer_url
#Splunk stats count sort how to
So far I've come with this, which is close, but I still have to figure out how to sort and count 3 of the columns. I have 4 fields, 3 which I would like to have sorted and counted in relation to the first one, and then display the top 3 for each.Īnd I want to display the top 20 categories, and for each category, the top 3 subcategories, top 3 product_id and top 3 referrer_url (each with its counter). Hello, let's see if someone can help with this
0 kommentar(er)
