topic Re: How to see the top 10 categories in each span of a timechart, not for the entire duration of the chart? in Splunk Search

How to see the top 10 categories in each span of a timechart, not for the entire duration of the chart?

tomer — Mon, 08 Sep 2014 10:34:40 GMT

i have stacked columns chart that covers 24h w. 1h spans
i use timechart's default limit=10 and get 10 categories + OTHER.
some spans in my graph are entirely made up of OTHER items.
this isn't very useful.
i would like to see the top 10 categories in each span not the top 10 for the entire duration of the chart imposed on spans.
is there a way to get the behaviour i'm after?

Re: How to see the top 10 categories in each span of a timechart, not for the entire duration of the chart?

theouhuios — Mon, 08 Sep 2014 11:44:41 GMT

Can you please post your search. If you are trying to remove OTHER values then palce useother=f at the end of the timechart command.

Re: How to see the top 10 categories in each span of a timechart, not for the entire duration of the chart?

tomer — Mon, 28 Sep 2020 17:30:50 GMT

i'm not trying to remove OTHER.
i want to keep OTHER, but i want the decision about which items are included under OTHER to be made on a per-span basis (not per chart basis).
let's say host1 appears very few times in the 1st span, and many times in the 2nd span. i want it to be included under OTHER in the first span visualization, but i want to see it as its own category in the 2nd span.

my search looks likes this:
some_entry_type_text | timechart span=1h count by some_field

Re: How to see the top 10 categories in each span of a timechart, not for the entire duration of the chart?

MuS — Mon, 08 Sep 2014 12:30:08 GMT

Hi tomer,

timechart will calculate the top values for the particular metric overall.
If you want to show this for each hour try using something like this:

  some_entry_type_text | bucket _time span=1h | chart count over _time by some_field

but still you will not get this kind of grouping for OTHER; you can use limit=xx to set a limit for chart or timechart to calculate the OTHERS.

Maybe this can help you to get the result you want; take this run everywhere command:

index=_internal | bucket _time span=1h | stats count by series, _time | chart limit=10 count over _time by series

this will stats the hourly buckets frist and use them in a chart, adopt it to your needs and see if it helps.

Like this:

some_entry_type_text | bucket _time span=1h | stats count by some_field, _time | chart limit=20 count over _time by some_field

cheers, Mus

Re: How to see the top 10 categories in each span of a timechart, not for the entire duration of the chart?

alacercogitatus — Mon, 08 Sep 2014 13:24:58 GMT

This is a way to do what you require - be wary - it might take EXCESSIVE amounts of time depending on your volume of information. Also - as written - this search is equivilent to "earliest=-1d@d latest=@d".

|gentimes start=-1 end=0 increment=1h | map maxsearches=24 search="search earliest=$starttime$ latest=$endtime$ <your_base_search> | bucket _time span=1h | top useother=t limit=10 <some_field> by _time | fields - percent" | timechart limit=0 sum(count) as "WIN" by <some_field>

replace <some_field> with your field, and <base_search> with your base search. Narrow down "base_search" as far as you can to be as specific as you can to keep this running smoothly.

Questions? Find me on #splunk IRC on efnet.org. alacer's the name.

Re: How to see the top 10 categories in each span of a timechart, not for the entire duration of the chart?

martin_mueller — Mon, 08 Sep 2014 13:51:52 GMT

Shouldn't there be a limit=0 in the timechart at the end?

Also, be wary of huge numbers of hard-to-distinguish colours being used, up to 241 in fact.

Re: How to see the top 10 categories in each span of a timechart, not for the entire duration of the chart?

alacercogitatus — Mon, 08 Sep 2014 13:56:33 GMT

You can set limit=0, sure. Then you won't be limiting the limits.

Re: How to see the top 10 categories in each span of a timechart, not for the entire duration of the chart?

tomer — Mon, 28 Sep 2020 17:30:58 GMT

alacercogitatus,
i started working off of what MuS suggested and came up with something almost identical to your suggestion except without gentime/map -
| bucket _time span=1h | top limit=10 useother=t by _time | timechart span=1h limit=0 sum(count) by

i think gentimes/map are redundant here - do you agree? do you have a scenario in mind where they would produce different results?

Re: How to see the top 10 categories in each span of a timechart, not for the entire duration of the chart?

alacercogitatus — Mon, 08 Sep 2014 14:25:56 GMT

I don't have any in mind just this moment. There might be one. Yours is pretty slick, good job!

Re: How to see the top 10 categories in each span of a timechart, not for the entire duration of the chart?

MuS — Mon, 08 Sep 2014 14:40:53 GMT

using top instead of stats - nice 🙂

Re: How to see the top 10 categories in each span of a timechart, not for the entire duration of the chart?

moisesroth — Wed, 16 Nov 2016 13:19:25 GMT

Another way is:

<your_base_search> | bucket _time span=1h | top 10 categories by _time