Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to edit my timechart search to find the top 5 users who get disconnected from our application on a monthly basis?

mishradb
New Member
‎06-12-2015 09:51 AM

I would like to view the top 5 users who get disconnected from our application on a monthly basis. I ran the search below from Jan 15 to Jun 15:

index=client sourcetype=client-logs "channel connect failed" channel=* date_month!=NULL  | timechart count by guid where max in top5.

However, if i run the search above for just 1 month, the top 5 users returned is different from what i get when i run it for 6 months.
Considering the fact that, the top 5 users could vary on a monthly basis, what is the best way of achieving this?

Tags (3)
0 Karma
Reply

woodcock
Esteemed Legend
‎06-12-2015 10:35 AM

Beware the use of the date_* fields, they are not always correct (ask me why if you really would like the gory details). Try this:

index=client sourcetype=client-logs "channel connect failed" channel=* | timechart span=1m count BY guid | top 5 count BY guid,_time
Reply

aweitzman
Motivator
‎06-12-2015 10:12 AM

You should be able to just use top for this:

... | top 5 guid by date_month
0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...