Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get top 20 results by aggregation method used in Trellis Layout?

sangs8788
Communicator
‎09-03-2018 10:17 PM

Hi

Below is a query which returns the latency over month by cust_id. Events contain fields as month=April, month=May etc

 ...| chart  max(Avg) as Avg, max(Max) as Max, p95(P95) as P95 over month by cust_id  useother=f limit=40 |sort  -Max, -P95

I would like to display this as a trellis chart by the Aggregation method used. While using Trellis Layout , i am getting graph each one for Max, Avg, P95 - 3 charts. How to display top 20 cust_id latency values for each aggregation method ? Is that possible ?

alt text

Preview file
1 KB
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎09-04-2018 03:58 AM

Try this please:

  ...| chart max(Avg) as Avg, max(Max) as Max, p95(P95) as P95 over month by cust_id  useother=f limit=40 |sort  -Max, -P95 | top 20 cust_id
0 Karma
Reply

niketn
Legend
‎09-03-2018 10:33 PM

@sangs8788 try using the split-by field as cust_id instead of default Aggragation.

  <option name="trellis.splitBy">cust_id</option>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

sangs8788
Communicator
‎09-03-2018 11:09 PM

@niketnilay That would result me in layout for each customer. I would like to have the aggregation as the layout and display top 10 customer values for each aggregation type. How do i do that ?

0 Karma
Reply

niketn
Legend
‎09-03-2018 11:35 PM

Then you would need to do it by month.

<option name="trellis.splitBy">month</option>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

sangs8788
Communicator
‎09-03-2018 11:50 PM

@niketnilay Sorry if i am not being clear. What i would like to know is in a year, do we server customer with same Max, P95 ,Avg latency. To see which are the customer not satisfied for the entire year monthwise. This results may contain a customer whose value was high only for one month but not always/ or it is always. Is this possible ?

For this i would need a chart for Avg, Max, P95 - trend for every month and show only the top 20 values for each layout. Having split by month will not show me the trend of Avg/Max/p95 of the same customer/all customer.

0 Karma
Reply

niketn
Legend
‎09-04-2018 12:01 AM

@sangs8788, sorry I am not clear with the expected output. Can you draw something on paper/mock screenshot of expected output?

PS: I have converted my answer to comment so that the question flags as unanswered for others to pitch in as well 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

sangs8788
Communicator
‎09-04-2018 03:10 AM

Thanks. I will share this by tomorrow. Caught up with meeting now.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...