Splunk Search
Highlighted

How can I search the 10 highest values per day?

Motivator

Hi,

I would like to find out the 10 highest values per day.

... | bucket span=1d 
| stats sum(xyz) AS values BY _time, user

I expected the | head command to work here, but this does not accept by _time.

BR Heinz

Tags (3)
0 Karma
Highlighted

Re: How can I search the 10 highest values per day?

Influencer

This should work


... | bucket span=1d
| stats sum(xyz) AS values BY time, user | sort -time -values | dedup 10 _time

View solution in original post

Highlighted

Re: How can I search the 10 highest values per day?

Motivator

This works fine, thanks a lot!

0 Karma