topic Help with Top 10 by Speed in Splunk Search

Help with Top 10 by Speed

LizAndy123 — Thu, 19 Sep 2024 14:20:04 GMT

So I have a SPL and it searchs an Index and brings back over 1.8 Million events

I have done some evals to get the Project, Size of file and Speed.

What I want to do is just to list the top 10 speeds and their relevant Project (It could be the same project is listed 10 times)

I have done something with stats(sum) but I don't want the sum....

Out of the 1.8 Million I need to just show the top 10 events and speed and it project number

My fields from eval are ProjectID, MB is the size and speed is SecTM is the speed

I seem to be stuck on Splunk doing a sum for the entire Project and I guess that would be true since I am using sum

Re: Help with Top 10 by Speed

gcusello — Thu, 19 Sep 2024 14:30:26 GMT

Hi @LizAndy123 ,

let me understand:

you want to find the first 10 projectIDs by Speed and the list of project of them, is it correct?

if this is your requirement, you can use stats:

<your_search> | stats sum(Speed) AS Speed values(Project) AS Project BY ProjectID | sort -Speed | head 10

this search runs if you have more Projects for each ProjectID.

If instead you want the most ten Projects BY Speed, you can use top:

<your_search> | top 10 sum(Speed) AS Speed BY Project

Ciao.

Giuseppe

Re: Help with Top 10 by Speed

LizAndy123 — Thu, 19 Sep 2024 14:49:19 GMT

That kinda is correct but we are still doing is a Sum - For example I know ProjectID 855 uploads at least 50,000 times in a 30 day period - what I want is to just find the top 10 speeds and just list the Project ID of that single event but show the top 10

So Project 855 uploaded at 10 seconds then 1 second then 50 seconds...then Project 888 uploaded at 80 seconds then 90 seconds....

I just want to see

Project 888 - 90

Project 888 - 80

Project 855 - 50

Project 855 - 10

Of course we have 00's of Projects so hopefully that makes sense 🙂

Re: Help with Top 10 by Speed

gcusello — Thu, 19 Sep 2024 15:21:48 GMT

Hi @LizAndy123 ,

ok, it's the reverse condition:

<your_search> | stats values(ProjectID) AS ProjectID BY Speed | sort -Speed | head 10 | table ProjectID Speed

Ciao.

Giuseppe

Re: Help with Top 10 by Speed

LizAndy123 — Thu, 19 Sep 2024 15:42:25 GMT

Perfect - thank you so much