topic Re: Top 10 for each date in Splunk Search

Top 10 for each date

bmer — Sun, 13 Oct 2024 13:57:17 GMT

I have below splunk which gives result of top 10 only for a particular day and I know the reason why too. How can I tweak it to get top 10 for each date i.e. If I run the splunk on 14-Oct, the output must include 10-Oct, 11-Oct, 12.-Oct and 13-Oct each with top 10 table names with highest insert sum

index=myindex RecordType=abc DML_Action=INSERT earliest=-4d | bin _time span=1d | stats sum(numRows) as count by _time,table_Name | sort limit=10 +_time -count

Thanks in advance

Re: Top 10 for each date

ITWhisperer — Sun, 13 Oct 2024 14:19:14 GMT

Re: Top 10 for each date

bmer — Mon, 14 Oct 2024 03:55:18 GMT

Thanks @ITWhisperer This helps. Iam going to read more about streamstats command now.My desired output is as below where am trying to see daily % growth of data.For eg. The green colored table is the output I got from your modified splunk.I want to generate output as per other table where "daily % growth" (for each table in a date) formula is (120-100)/100 rounded to 0 as percentage output.

Is this something which can be achieved?

Re: Top 10 for each date

PickleRick — Mon, 14 Oct 2024 07:05:31 GMT

There is an easier way.

index=myindex RecordType=abc DML_Action=INSERT earliest=-4d | bin _time span=1d | stats sum(numRows) as count by _time,table_Name | sort 0 +_time -count | dedup 10 _time

Re: Top 10 for each date

ITWhisperer — Mon, 14 Oct 2024 08:19:51 GMT

| sort 0 _time | streamstats latest(count) as previous by Table_Name window=1 global=f current=f | eval increase=round(100*(count-previous)/previous,0)

Re: Top 10 for each date

bmer — Mon, 14 Oct 2024 09:31:23 GMT

@ITWhisperer did you mean the final splunk query would look like as below?

index=myindex RecordType=abc DML_Action=INSERT earliest=-4d | bin _time span=1d | stats sum(numRows) as count by _time,table_Name | sort limit=10 +_time -count | sort 0 _time | streamstats latest(count) as previous by Table_Name window=1 global=f current=f | eval increase=round(100*(count-previous)/previous,0)

Re: Top 10 for each date

ITWhisperer — Mon, 14 Oct 2024 09:55:27 GMT

No, more like this

The previous answer was based on the green table - since this is based on my first answer, combining the two should work for you (I removed the extra sort as this is redundant given the first sort.