Splunk Search

How to apply a top/limit for each bucket in my search results?

New Member

For each request made to our app, we collect a log event that contains a uri and a response_time property.

I want to answer the following question:

For each day, what are the 5 uris with the highest average response time.

I was able to create a search to calculate the avg response time of each uri per day:

my_search
| bucket _time span=day
| stats avg(response_time) as avg_response_time by _time request_path

This creates daily buckets, but I don't know how to limit each bucket to contain only the top 5 avg_response_time for each day/bucket.

0 Karma
1 Solution

Legend

It is just a little different... (BTW, bucket + stats = timechart)

my_search
| timechart span=1d avg(response_time) as avg_response_time by request_path
| sort _time -avg_response_time
| streamstats count as seq_num by _time reset_on_change=t
| where seq_num <=5

View solution in original post

0 Karma

Legend

It is just a little different... (BTW, bucket + stats = timechart)

my_search
| timechart span=1d avg(response_time) as avg_response_time by request_path
| sort _time -avg_response_time
| streamstats count as seq_num by _time reset_on_change=t
| where seq_num <=5

View solution in original post

0 Karma

New Member

Thanks, your streamstats usage got me where I needed. But I had to change the timechart back to bucket + stats to get the data in the format that I needed.

timechart would put the request_path values as columns, with bucket + stats I got a "request_path" column with each value becoming a row, exactly what I needed.

0 Karma

Legend

Got it! good catch...

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!