Building for the Splunk Platform

How to show the Report to display the Top 10 Max values

rajeswariramar
New Member

Report to show the Top 10 Max values

I want the Report as below

IBD successcont Mintime Maxtime

IBD1 2 3000 11071

IBD2 2 2678 2265

etc

index=* sourcetype=VM_STATS ( Status=SUCCESS ) | stats count, max(TimeTaken) as max, MIN(TimeTaken) as MIN, avg(TimeTaken) as avg by IBD

i want to list the top 10 max values to be retrived....

can you please advice

Tags (1)
0 Karma
1 Solution

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

Please try this

index=* sourcetype=VM_STATS ( Status=SUCCESS ) | stats count, max(TimeTaken) as max, MIN(TimeTaken) as MIN, avg(TimeTaken) as avg by IBD | sort 10 -max

View solution in original post

0 Karma

mayurr98
Super Champion

hey try this!

index=* sourcetype=VM_STATS ( Status=SUCCESS ) | stats count, max(TimeTaken) as max, MIN(TimeTaken) as MIN, avg(TimeTaken) as avg by IBD | sort limit=10 max desc

you can use sort command and limit option to limit the number of top values!
Refer this doc.
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sort#Description

Let me know if this helps you!

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

Please try this

index=* sourcetype=VM_STATS ( Status=SUCCESS ) | stats count, max(TimeTaken) as max, MIN(TimeTaken) as MIN, avg(TimeTaken) as avg by IBD | sort 10 -max
0 Karma
Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...