I have this search, where I am charting usage over id
field (which is on x-axis) split by two columns - two values of Day
field.
source=foo resource=foobar
earliest=-1d@d latest=now
| eval Day=if(_time<relative_time(now(),"@d"),"Yesterday","Today")
| rex max_match=0 "(?:'id': )(?P<id>[^,]+)|(?:'usage': )(?P<usage>[^,]+)"
| chart latest(usage) over id by Day
| where Yesterday!=Today | table id Yesterday Today | sort Today
Is there a way to limit the result to a certain number?
I tried | sort 5 Today
.
| sort Today
breaks when I add a limit - as if it stops sorting by Today
and starts sorting by id
.
When I use sort 5 Now
it results in sorting by id
while I actually want to sort by usage
in Today
column. Is that possible?
Thank you.
source=foo resource=foobar
earliest=-1d@d latest=now
| eval Day=if(_time<relative_time(now(),"@d"),"Yesterday","Today")
| rex max_match=0 "(?:'id': )(?P<id>[^,]+)|(?:'usage': )(?P<usage>[^,]+)"
| chart latest(usage) over id by Day
| streamstats count(eval(Yesterday!=Today)) as session
| where Yesterday!=Today AND session < 6
| table id Yesterday Today
see https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Chart
@to4kawa, thanks, but I am afraid limit
is not working. I saw a few posts on this forum that limit
does not necessarily work with chart command, and also, per documentation, "The limit and agg options are ignored if an explicit where-clause is provided", and I have a where
clause in my search. Also, it does not look like head
works with my search either. I am looking for a way to sort by values of a column-split field, and limit the data points to a specific number.
If you need sort
, try before streamstats
@to4kawa, thanks, I tried the search you suggested, using streamstats count as session
but unfortunately it resulted in only one data point: Yesterday/Today group for only one id
, and based on the value of id
it is obvious that it is sorted by id
, not a value in column-split field.
Have you try sort
before streamstats
?
yes, I did