suppose my logs have fields A=a1..aN, B=b1..bN, C=c1..cN
and I see an increase in number of requests, i.e
index=* | bucket _time span=1h | stats count by _time
Is there a special query that I can execute which allows me to easily figure out which dimension / value is contributing to the increase most?
e.g. the outcome would be
A=a423 has increased the traffic the most
This is a bit fiddly as normally you could use top to find the most common field. One question, do you want to have your top field shown by 1 hour time as in your example.
Anyway, you can try this
index=*
| bucket _time span=1h
| eventstats count as topA by A _time
| eventstats count as topB by B _time
| eventstats count as topC by C _time
| eventstats max(topA) as maxA by _time
| eventstats max(topB) as maxB by _time
| eventstats max(topC) as maxC by _time
| where topA=maxA OR topB=maxB OR topC=maxC
| stats values(eval(if(topA=maxA,A,null()))) as A
values(eval(if(topB=maxB,B,null()))) as B
values(eval(if(topC=maxC,C,null()))) as C
max(max*) as max* by _time
| table _time A maxA B maxB C maxC
It's heavy on using eventstats, which is not very efficient, but is calculating counts of each of the fields then looking for the max of those fields and then filtering only the ones that are max for each of the fields.
The final stats is then working out the values of each field (there could be more than one value with the same count)
This will give you the max of each field in the given time period
Hope this is useful
I may have over complicated it, but I can't think of a simple solution at the moment, others may chime in.