https://community.splunk.com/t5/Splunk-Search/Top-10-for-every-timespan/m-p/299695#M160249 <P>I have data of mail sending activities of 1000s of customers and need to find the top 10 mail sending customers for every 10minutes for the customer data of the past 1 month. I need to create a stacked chart of the same. Any suggestions how this could be done. for the past 24hrs the top customers have been found as follows </P> <PRE><CODE> index=campaign_prod sourcetype=witness_stat_log virtualization=* earliest=-1d | dedup host| table host customer_name | join type=outer host [search index=campaign_prod sourcetype=mtachild_log message_type=info "sent"| stats count as email_count by host] | fillnull value=0 email_count | stats sum(email_count) as mail_count by customer_name | sort 0 -mail_count | head 20 </CODE></PRE> Mon, 10 Jul 2017 10:31:35 GMT AshimaE 2017-07-10T10:31:35Z https://community.splunk.com/t5/Splunk-Search/Top-10-for-every-timespan/m-p/299695#M160249 <P>I have data of mail sending activities of 1000s of customers and need to find the top 10 mail sending customers for every 10minutes for the customer data of the past 1 month. I need to create a stacked chart of the same. Any suggestions how this could be done. for the past 24hrs the top customers have been found as follows </P> <PRE><CODE> index=campaign_prod sourcetype=witness_stat_log virtualization=* earliest=-1d | dedup host| table host customer_name | join type=outer host [search index=campaign_prod sourcetype=mtachild_log message_type=info "sent"| stats count as email_count by host] | fillnull value=0 email_count | stats sum(email_count) as mail_count by customer_name | sort 0 -mail_count | head 20 </CODE></PRE> Mon, 10 Jul 2017 10:31:35 GMT https://community.splunk.com/t5/Splunk-Search/Top-10-for-every-timespan/m-p/299695#M160249 AshimaE 2017-07-10T10:31:35Z https://community.splunk.com/t5/Splunk-Search/Top-10-for-every-timespan/m-p/299696#M160250 <P>Hi AshimaE,<BR /> try something like this</P> <PRE><CODE>index=campaign_prod sourcetype=witness_stat_log virtualization=* earliest=-1d | dedup host | join type=outer host [ search index=campaign_prod sourcetype=mtachild_log message_type=info "sent" | stats count as email_count by host ] | fillnull value=0 email_count | bin span=10m _time | stats sum(email_count) as mail_count by customer_name, _time | sort 0 -mail_count | head 20 </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Mon, 10 Jul 2017 10:44:46 GMT https://community.splunk.com/t5/Splunk-Search/Top-10-for-every-timespan/m-p/299696#M160250 gcusello 2017-07-10T10:44:46Z https://community.splunk.com/t5/Splunk-Search/Top-10-for-every-timespan/m-p/299697#M160251 <P>But this will give the top 20 overall while I want the top 10 or 20 for each timespan of the 1 month period.</P> Mon, 10 Jul 2017 10:48:40 GMT https://community.splunk.com/t5/Splunk-Search/Top-10-for-every-timespan/m-p/299697#M160251 AshimaE 2017-07-10T10:48:40Z