Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with Top 10 by Speed

LizAndy123
Path Finder
‎09-19-2024 07:20 AM

So I have a SPL and it searchs an Index and brings back over 1.8 Million events

I have done some evals to get the Project, Size of file and Speed.

What I want to do is just to list the top 10 speeds and their relevant Project (It could be the same project is listed 10 times)

I have done something with stats(sum) but I don't want the sum....

Out of the 1.8 Million I need to just show the top 10 events and speed and it project number

My fields from eval are ProjectID, MB is the size and speed is SecTM is the speed

I seem to be stuck on Splunk doing a sum for the entire Project and I guess that would be true since I am using sum

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-19-2024 08:21 AM

Hi @LizAndy123 ,

ok, it's the reverse condition:

<your_search>
| stats values(ProjectID) AS ProjectID  BY Speed
| sort -Speed
| head 10
| table ProjectID Speed

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

LizAndy123
Path Finder
‎09-19-2024 07:49 AM

That kinda is correct but we are still doing is a Sum - For example I know ProjectID 855 uploads at least 50,000 times in a 30 day period - what I want is to just find the top 10 speeds and just list the Project ID of that single event but show the top 10

So Project 855 uploaded at 10 seconds then 1 second then 50 seconds...then Project 888 uploaded at 80 seconds then 90 seconds....

 

I just want to see

Project 888 - 90

Project 888 - 80

Project 855 - 50

Project 855 - 10

Of course we have 00's of Projects so hopefully that makes sense 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-19-2024 08:21 AM

Hi @LizAndy123 ,

ok, it's the reverse condition:

<your_search>
| stats values(ProjectID) AS ProjectID  BY Speed
| sort -Speed
| head 10
| table ProjectID Speed

Ciao.

Giuseppe

Reply
Solved! Jump to solution

LizAndy123
Path Finder
‎09-19-2024 08:42 AM

Perfect - thank you so much

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-19-2024 07:30 AM

Hi @LizAndy123 ,

let me understand:

you want to find the first 10 projectIDs by Speed and the list of project of them, is it correct?

if this is your requirement, you can use stats:

<your_search>
| stats sum(Speed) AS Speed values(Project) AS Project  BY ProjectID
| sort -Speed
| head 10

 this search runs if you have more Projects for each ProjectID.

If instead you want the most ten Projects BY Speed, you can use top:

<your_search>
| top 10 sum(Speed) AS Speed BY Project

Ciao.

Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...