I am trying to write a splunk query(below) but limit the results to 100 events per cid. I can't use top and limit because it changes the output. This is what I have so far and I know I should be using | Head x but I am having a trouble with the syntax. Below Q will output everything for every cid but I am trying to limit that so I only get sample of 100 points per cid. I would really appreciate any assistance.
index=unruly_sampled_ad_stats (t=pp_play OR t=pp_completed_view OR t=complete OR t=q2 OR t=q3 OR t=q4 OR t=click) adf=* demand_partner=unruly
(cid=* ) (crid=*) (apid=*) (pid=*)
|bin _time span=1d
|lookup uas_lookup http_user_agent as user_agent
|replace "Mobile Browser" with Mobile in ua_type
|replace Browser with Desktop in ua_type
|eval sampling_rate=coalesce(sampling_rate,1)
|eval play=if(t="pp_play",1/sampling_rate,0)
|eval pp_completed_view=if(t="pp_completed_view",1/sampling_rate,0)
|eval complete=if(t="complete",1/sampling_rate,0)
|eval click=if(t="click",1/sampling_rate,0)
|eval q2=if(t="q2",1/sampling_rate,0)
|eval q3=if(t="q3",1/sampling_rate,0)
|eval q4=if(t="q4",1/sampling_rate,0)
|stats sum(play), sum(pp_completed_view), sum(q2), sum(q3), sum(q4), sum(complete), sum(click) by adf, UID, apid, cid, crid, pid, ua_type, _time
