How can I use results of a stats table to output t...

spark2310 · ‎12-08-2017

I am using this query. output basically will return error codes sorted with high percentage difference (errors are increasing). I am using fields command to only output top 10 errors in table

since this query will show as stats table, how can I use this output to further pipe or do a timechart?

somesoni2 · ‎12-08-2017

If your timechart query's timerange is different from last 2 hr, then try like this

index=source [search index=source earliest=-2h sourcetype=e | bucket _time span=1h |stats count by code _time| delta count as difference | eval percdif=round(abs(difference/count)*100,0)|table code, count, difference, percdif|sort -percdif -count|where count>1100|fields code|head 10] 
| timechart count by code

spark2310 · ‎12-08-2017

It did not work, returns 0 results

somesoni2 · ‎12-08-2017

How about this

index=source sourcetype=e  [search index=source earliest=-2h sourcetype=e | bucket _time span=1h |stats count by code _time| delta count as difference | eval percdif=round(abs(difference/count)*100,0)|table code, count, difference, percdif|sort -percdif -count|where count>1100|fields code|head 10] 
 | timechart count by code

spark2310 · ‎12-08-2017

does this work if I pass more than one field (code and percdif) to timechart as well?

somesoni2 · ‎12-08-2017

It'll. As long as that field is present in main search.

spark2310 · ‎12-08-2017

Thanks working now

somesoni2 · ‎12-08-2017

What's your final expected output (that you want to generate for these top 10 error codes)?

spark2310 · ‎12-08-2017

Final output should be a timechart of the top 10 error codes (of query I posted above)

How can I use results of a stats table to output to another pipe or timechart?

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7