Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Graphing or bucketing a summary indexed query

Oren
Explorer
‎10-12-2010 06:42 PM

I've setup a summary index that works great. I usually use it like this:

index=summary search_name="Z - Top Domain - 15 minutes" | top 50 http_domain

When I run this query, it gives me three fields - the http_domain, the "count" which is the # of hits of that domain, and the percent of total. I'd like to graph the sum(count) by http_domain. I naively tried this, and of course failed hard. Attempts to use bucket have met with blank stares from the search engine as well.

It's clear the data is in there - if I run the query for 1 hour, I get 1 hour of results. Ideally then I could bucket the results each hour or equivalent.

Tags (1)
0 Karma
Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎10-13-2010 04:07 AM

How are you populating the summary index? If you're using "... | sitop http_domain" then the "... | top" is really the only valid thing you can do.

On the other hand, if you store the summary manually, say "... | stats count by http_domain", then you should be able to compute "... | timechart sum(count) by http_domain".

Calculating "... | top 50 http_domain" is a bit harder, say "... | stats sum(count) as count by http_domain | sort - count | head 50" and is even harder if you want percents, where you'll have to add "... | eventstats sum(count) as sum_count | eval percent = count / sum_count | fields - sum_count | ..." between the stats and the sort.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...