topic Re: Timechart along with top and sort in Splunk Search

Timechart along with top and sort

xbbj3nj — Wed, 23 Apr 2014 18:24:54 GMT

Hi ,

All I want do is to convert the below stats table into a timerange result.
I'm using a LDAP log and getting the top 20 entries values and sorting it based on nentries

index="q_ldap" | top limit=0 nentries | sort 20 -nentries
(this works like a charm)
nentries count
2345 9
234 8
23 7
2 11
1 100
. .
. .
. .
No I want to convert this to timeseries, where I need to the see the count for the largest nentries value over time.

Im trying below query, but no luck and Im scratching my head how to combine timechart and sort, any help would be highly appreciated.

index="q_ldap" | sort 20 -nentries| timechart limit=20 span=10m count by nentries

Re: Timechart along with top and sort

linu1988 — Wed, 23 Apr 2014 19:24:52 GMT

you loose timechart or you have to give up on sort both will not make sense.

index="q_ldap" [|search index="q_ldap" |dedup nentries|sort -nentries|head 20|table nentries]|timechart count by nentries

Updated: I have filtered out the entries from the parent dataset for the top 20 sorted nentries

Re: Timechart along with top and sort

xbbj3nj — Wed, 23 Apr 2014 19:31:01 GMT

Thanks for that .. but to be clear on my need.. I'm filtering the whole lot of nentries 1st and then trying to sort based on the values of nentries, ie largest and not it's count.... so How do I apply filter for largest values in timechart ? say the result is 0,1,2,5,78,100,23,350...... and i want to show only the largest value in the timechart.. i.e 350,100,78 out of all

Re: Timechart along with top and sort

linu1988 — Wed, 23 Apr 2014 19:49:33 GMT

I have made some changes could you try it?

Re: Timechart along with top and sort

xbbj3nj — Mon, 28 Sep 2020 16:27:20 GMT

@linu1988 : Thank you so much, I had to do a minor tweak of your query to get my desired results

Thanks Again !!

Re: Timechart along with top and sort

linu1988 — Thu, 24 Apr 2014 06:01:31 GMT

Feel free to mark it as answer 🙂

Re: Timechart along with top and sort

MuS — Thu, 24 Apr 2014 07:35:29 GMT

sorry to interfere here 😉
I think this is a bit over done and can be reduced to a single search like this:

index="q_ldap" | dedup nentries | sort -nentries | head 20 | timechart count by nentries

it works with a run everywhere example like this:

index=_internal source=*metrics.log | dedup kb | sort 20 -kb | head 20 | timechart count by kb

Re: Timechart along with top and sort

linu1988 — Mon, 28 Apr 2014 21:11:42 GMT

dedup nentries will take out all the time entries which has happened before, only latest one will be kept for search, won't it? so it's important to have the sub search to get the entries upon which the timechart will be done. Correct me if i am wrong.