Hi All,
I am trying to get the top n users who made calls to some APIs over a span of 5 minutes.
For example:
By the below query, I can see the chart which made calls for a period of time over a span of 5 minutes.
Query
timechart span=5min count(action) by applicationname
Now, I need to select the top n users (applicationname) which had high number of calls only for a span of 5 minutes.
In the below image, need the the users with sudden spikes.
Thank you both. Is there any other approach to get this result? If so, please do help me on this.
Thanks
Thank you both. Is there any other way where I can achieve this?
To get the count over a sliding window you'd need to do - as I mentioned - streamstats with time_window set to your 5 minutes. Then you can do a simple top command or something like that.
The timechart command has a limit option that will give you the top n results.
| timechart span=5min limit=5 count(action) by applicationname
It's not that easy 😉
1. Often overlooked thing - timechart with span=something means just chopping time into span-sized slices. It does _not_ mean doing a sliding window aggregation. I suppose you can't do that other way than using streamstats.
2. limit=X with timechart gives you only X top results _overall_, not per each bin.