Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get top 20 results by aggregation method used in Trellis Layout?

sangs8788
Communicator
‎09-03-2018 10:17 PM

Hi

Below is a query which returns the latency over month by cust_id. Events contain fields as month=April, month=May etc

 ...| chart  max(Avg) as Avg, max(Max) as Max, p95(P95) as P95 over month by cust_id  useother=f limit=40 |sort  -Max, -P95

I would like to display this as a trellis chart by the Aggregation method used. While using Trellis Layout , i am getting graph each one for Max, Avg, P95 - 3 charts. How to display top 20 cust_id latency values for each aggregation method ? Is that possible ?

alt text

Preview file
1 KB
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎09-04-2018 03:58 AM

Try this please:

  ...| chart max(Avg) as Avg, max(Max) as Max, p95(P95) as P95 over month by cust_id  useother=f limit=40 |sort  -Max, -P95 | top 20 cust_id
0 Karma
Reply

niketn
Legend
‎09-03-2018 10:33 PM

@sangs8788 try using the split-by field as cust_id instead of default Aggragation.

  <option name="trellis.splitBy">cust_id</option>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

sangs8788
Communicator
‎09-03-2018 11:09 PM

@niketnilay That would result me in layout for each customer. I would like to have the aggregation as the layout and display top 10 customer values for each aggregation type. How do i do that ?

0 Karma
Reply

niketn
Legend
‎09-03-2018 11:35 PM

Then you would need to do it by month.

<option name="trellis.splitBy">month</option>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

sangs8788
Communicator
‎09-03-2018 11:50 PM

@niketnilay Sorry if i am not being clear. What i would like to know is in a year, do we server customer with same Max, P95 ,Avg latency. To see which are the customer not satisfied for the entire year monthwise. This results may contain a customer whose value was high only for one month but not always/ or it is always. Is this possible ?

For this i would need a chart for Avg, Max, P95 - trend for every month and show only the top 20 values for each layout. Having split by month will not show me the trend of Avg/Max/p95 of the same customer/all customer.

0 Karma
Reply

niketn
Legend
‎09-04-2018 12:01 AM

@sangs8788, sorry I am not clear with the expected output. Can you draw something on paper/mock screenshot of expected output?

PS: I have converted my answer to comment so that the question flags as unanswered for others to pitch in as well 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

sangs8788
Communicator
‎09-04-2018 03:10 AM

Thanks. I will share this by tomorrow. Caught up with meeting now.

0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...