Solved: How to display current and previous ranks of top 1...

abhi_syntel_hum · ‎05-05-2016

Hi,

Initially I tried with:

ConsumerService HostEnvironmentName=PROD| top limit=10 message

to get the daily details, then to display current rank modified with:

ConsumerService HostEnvironmentName=PROD| top limit=10 message | streamstats count as C.Rank

but I am struggling to get the ranks of top 10 messages for previous day,

Please guide me to right direction.

Abhishek

sundareshr · ‎05-05-2016

See if this gives you what you're looking for

index=_internal sourcetype=*web* earliest=-1d@d | top 100 uri | streamstats count as "Yesterday's Rank" | where [ search index=_internal sourcetype=*web* earliest=@d | top 10 uri | table uri] | rename percent as "Yesterday's Percent" | appendcols [ search index=_internal sourcetype=*web* earliest=@d | top 10 uri ] | streamstats count as "Today's Rank" | rename percent as "Today's Percent" | fields - count

View solution in original post

sundareshr · ‎05-05-2016

See if this gives you what you're looking for

index=_internal sourcetype=*web* earliest=-1d@d | top 100 uri | streamstats count as "Yesterday's Rank" | where [ search index=_internal sourcetype=*web* earliest=@d | top 10 uri | table uri] | rename percent as "Yesterday's Percent" | appendcols [ search index=_internal sourcetype=*web* earliest=@d | top 10 uri ] | streamstats count as "Today's Rank" | rename percent as "Today's Percent" | fields - count

abhi_syntel_hum · ‎05-05-2016

Thanks sundareshr for quick response.
The solution is perfect. I needed error counts also, so I replaced fields - count -> rename count as Count
Thanks again !!

How to display current and previous ranks of top 10 error messages with the respective count and percentage contribution on daily basis.

Mastering Data Pipelines: Unlocking Value with Splunk

The Latest Cisco Integrations With Splunk Platform!

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk