Re: top10 for each span in a time chart

cwinkler109 · ‎03-26-2019

Hello. I'm trying to create a bar chart visualization that shows the top10 eventId's by count for each day over the past 7 days.

The search I have is returning more than 10 results per day.

index=myindex earliest=-7d latest=now | timechart span=1d count by eventId where top10

I see similar questions posted on answers.splunk.com but none of the posts provide a clear answer.

Thanks in advance.

cwinkler109 · ‎04-01-2019

This gives me what I was looking for:

index=myindex earliest=-7d latest=now
| eval date=strftime(_time, "%Y-%m-%d")
| top 10 eventId by date
| chart useother=0 values(count) over date by eventId where top100

nu_learner · ‎01-17-2023

Thank you @cwinkler109 - your answer helped me as well!

cwinkler109 · ‎03-26-2019

I tried the recommended approach in that post but it returns the same 10 eventId's for every day in the span. In other words, yesterdays top 10 eventId's should be different than todays. The query outputs the same eventsId's for each each day which is not showing the data I am looking for.

index=myindex earliest=-7d latest=now | timechart span=1d count useother=f usenull=f by eventId WHERE max in top10

I'll keep investigating.....

adonio · ‎03-26-2019

fabulous answer here:

https://answers.splunk.com/answers/667235/how-to-timechart-for-only-the-10-highest-counted-v.html

hope it helps

How to get top10 for each span in a time chart?

timechart

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation