Splunk Search

Get the top n results when searched by count and span

SaiDarur
New Member

Hi All,

I am trying to get the top n users who made calls to some APIs over a span of 5 minutes.

For example:
By the below query, I can see the chart which made calls for a period of time over a span of 5 minutes.

Query    

timechart span=5min count(action) by applicationname

Now, I need to select the top n users (applicationname) which had high number of calls only for a span of 5 minutes.

In the below image, need the the users with sudden spikes.

Capture.PNG

Labels (2)
0 Karma

SaiDarur
New Member

Thank you both. Is there any other approach to get this result? If so, please do help me on this.
Thanks

0 Karma

SaiDarur
New Member

Thank you both. Is there any other way where I can achieve this?

0 Karma

PickleRick
SplunkTrust
SplunkTrust

To get the count over a sliding window you'd need to do - as I mentioned - streamstats with time_window set to your 5 minutes. Then you can do a simple top command or something like that.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The timechart command has a limit option that will give you the top n results.

| timechart span=5min limit=5 count(action) by applicationname

 

---
If this reply helps you, Karma would be appreciated.
0 Karma

PickleRick
SplunkTrust
SplunkTrust

It's not that easy 😉

1. Often overlooked thing - timechart with span=something means just chopping time into span-sized slices. It does _not_ mean doing a sliding window aggregation. I suppose you can't do that other way than using streamstats.

2. limit=X with timechart gives you only X top results _overall_, not per each bin.

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...