How to edit my timechart search to include the top...

jjasti · ‎05-15-2017

I want to raise an alert when the topmost field changes..

my weblog | implication prefix=geo client | time chart span=15m count by geoCountry

the above command gives several countries..but I only want one country (similar to top limit=1)
however timechart command doesn't seem to work with top command..

I want to monitor over a span of 15 min to see if the top requests from a country changes..

somesoni2 · ‎05-15-2017

Give this a try (assuming you run the search for last 30 mins)

my weblog | implication prefix=geo client | eval period=if(_time>=relative_time(now(),"-15m"),"current","previous")  
| stats count by period geoCountry | sort period -count | dedup period | stats values(geoCountry) as geoCountry | where mvcount(geoCountry)=2

This will return results if the top country for current (last 15 min) and previous (15 mins prior to last 15 min) period is different (last stats gives two values)

cmerriman · ‎05-15-2017

can you add something like:

|sort 0 _time - count|streamstats count as topCountry by _time|search topCountry=1

the streamstats should count 1,2,3,4.... for each country in order of highest to lowest count every 15 minute interval and then you search for the ones equal to 1 to get the top.

How to edit my timechart search to include the top command?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation