https://community.splunk.com/t5/Getting-Data-In/Different-values-for-each-minute/m-p/267359#M96391 <P>Hey,</P> <P>i have tried the suggestion and i think i was not saying what i search for very good.</P> <P>let me give an example:</P> <P>let's say that i want to get the top 5 disks with the most transfer.<BR /> i have 100 disks and i want to get the top 5 disks with the highest transfer rate for every minute.</P> <P>i wish to get the following - </P> <P>Date &amp; Time DISK_ID1 DISK_ID2 DISK_ID3 DISK_ID4 DISK_ID5</P> <H6>### ###### ###### ####### #######</H6> <P>2016-09-12 10:58 DISK1 DISK64 DISK5 DISK9 DISK12<BR /> 2016-09-12 10:59 DISK50 DISK32 DISK19 DISK20 DISK5<BR /> 2016-09-12 11:00 DISK4 DISK27 DISK13 DISK89 DISK65</P> <P>you can see that for every minute a different disk had the highest level of transfer.</P> <P>i hope that now i wrote it better <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 29 Sep 2020 10:56:50 GMT naty 2020-09-29T10:56:50Z https://community.splunk.com/t5/Getting-Data-In/Different-values-for-each-minute/m-p/267356#M96388 <P>Hi,</P> <P>i'm new to splunk and in need for a little help.</P> <P>we can only access an index that was made for our department.</P> <P>background:<BR /> we are extracting data by REST from our products to Splunk.<BR /> one of our data inputs is extracting the following details:<BR /> date &amp; time, disk ID, disk Transfer<BR /> the data input is getting data every minute.</P> <P>my problem is this:<BR /> for every minute i would like to get the top 10 disks with the highest transfer.</P> <P>we tried to do something like this:<BR /> index=our_index source=... | timechart max(TRANSFER) by DISK_ID limit=10 | sort TRANSFER</P> <P>what we ended up having is getting the current top 10 disks with the highest transfer rate and the history of them.<BR /> the problem is that at some points there must have been different disks that were making more transfer but Splunk isn't showing them because it is searching on the current disks and not on every minute.</P> <P>i would like to get the data in a panel with the Statistics table visualization or the Column chart visualization.</P> <P>can anyone assist?</P> Tue, 29 Sep 2020 10:53:41 GMT https://community.splunk.com/t5/Getting-Data-In/Different-values-for-each-minute/m-p/267356#M96388 naty 2020-09-29T10:53:41Z https://community.splunk.com/t5/Getting-Data-In/Different-values-for-each-minute/m-p/267357#M96389 <P>Try this</P> <PRE><CODE>index=our_index source=... | bin span=1m _time | stats max(TRANSFER) as transfer by _time DISK_ID | sort _time - transfer | streamstats count by _time | where count &lt;=10 </CODE></PRE> <P>*<STRONG><EM>UPDATED</EM></STRONG>*</P> <PRE><CODE>index=our_index source=... | bin span=1m _time | stats max(TRANSFER) as transfer by _time DISK_ID | sort _time - transfer | streamstats count by _time | where count &lt;=5 | eval count="DISK_".count | chart values(DISK_ID) as disk over _time by count </CODE></PRE> Wed, 07 Sep 2016 16:49:00 GMT https://community.splunk.com/t5/Getting-Data-In/Different-values-for-each-minute/m-p/267357#M96389 sundareshr 2016-09-07T16:49:00Z https://community.splunk.com/t5/Getting-Data-In/Different-values-for-each-minute/m-p/267358#M96390 <P>I think you forgot to put a hyphen before transfer (to sort in descending order of transfer rate).</P> Wed, 07 Sep 2016 16:55:29 GMT https://community.splunk.com/t5/Getting-Data-In/Different-values-for-each-minute/m-p/267358#M96390 somesoni2 2016-09-07T16:55:29Z https://community.splunk.com/t5/Getting-Data-In/Different-values-for-each-minute/m-p/267359#M96391 <P>Hey,</P> <P>i have tried the suggestion and i think i was not saying what i search for very good.</P> <P>let me give an example:</P> <P>let's say that i want to get the top 5 disks with the most transfer.<BR /> i have 100 disks and i want to get the top 5 disks with the highest transfer rate for every minute.</P> <P>i wish to get the following - </P> <P>Date &amp; Time DISK_ID1 DISK_ID2 DISK_ID3 DISK_ID4 DISK_ID5</P> <H6>### ###### ###### ####### #######</H6> <P>2016-09-12 10:58 DISK1 DISK64 DISK5 DISK9 DISK12<BR /> 2016-09-12 10:59 DISK50 DISK32 DISK19 DISK20 DISK5<BR /> 2016-09-12 11:00 DISK4 DISK27 DISK13 DISK89 DISK65</P> <P>you can see that for every minute a different disk had the highest level of transfer.</P> <P>i hope that now i wrote it better <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 29 Sep 2020 10:56:50 GMT https://community.splunk.com/t5/Getting-Data-In/Different-values-for-each-minute/m-p/267359#M96391 naty 2020-09-29T10:56:50Z https://community.splunk.com/t5/Getting-Data-In/Different-values-for-each-minute/m-p/267360#M96392 <P>Try the udpated answer</P> Mon, 12 Sep 2016 14:49:38 GMT https://community.splunk.com/t5/Getting-Data-In/Different-values-for-each-minute/m-p/267360#M96392 sundareshr 2016-09-12T14:49:38Z https://community.splunk.com/t5/Getting-Data-In/Different-values-for-each-minute/m-p/267361#M96393 <P>it worked!!<BR /> thank you <span class="lia-unicode-emoji" title=":grinning_face_with_smiling_eyes:">😄</span></P> Thu, 15 Sep 2016 13:08:37 GMT https://community.splunk.com/t5/Getting-Data-In/Different-values-for-each-minute/m-p/267361#M96393 naty 2016-09-15T13:08:37Z