How to edit my timechart search to include the top...

jjasti · ‎05-15-2017

I want to raise an alert when the topmost field changes..

my weblog | implication prefix=geo client | time chart span=15m count by geoCountry

the above command gives several countries..but I only want one country (similar to top limit=1)
however timechart command doesn't seem to work with top command..

I want to monitor over a span of 15 min to see if the top requests from a country changes..

somesoni2 · ‎05-15-2017

Give this a try (assuming you run the search for last 30 mins)

my weblog | implication prefix=geo client | eval period=if(_time>=relative_time(now(),"-15m"),"current","previous")  
| stats count by period geoCountry | sort period -count | dedup period | stats values(geoCountry) as geoCountry | where mvcount(geoCountry)=2

This will return results if the top country for current (last 15 min) and previous (15 mins prior to last 15 min) period is different (last stats gives two values)

cmerriman · ‎05-15-2017

can you add something like:

|sort 0 _time - count|streamstats count as topCountry by _time|search topCountry=1

the streamstats should count 1,2,3,4.... for each country in order of highest to lowest count every 15 minute interval and then you search for the ones equal to 1 to get the top.

How to edit my timechart search to include the top command?

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Splunk App Dev Community Updates – What’s New and What’s Next

The Latest Cisco Integrations With Splunk Platform!

Are you a member of the Splunk Community?

How to edit my timechart search to include the top command?

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Splunk App Dev Community Updates – What’s New and What’s Next

The Latest Cisco Integrations With Splunk Platform!