Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to limit results in a bar chart while still sorting by one of the values of column-split field?

nickrally2009
Explorer
‎03-17-2020 12:44 PM

I have this search, where I am charting usage over id field (which is on x-axis) split by two columns - two values of Day field.

source=foo resource=foobar
earliest=-1d@d latest=now
| eval Day=if(_time<relative_time(now(),"@d"),"Yesterday","Today")
| rex max_match=0 "(?:'id': )(?P<id>[^,]+)|(?:'usage': )(?P<usage>[^,]+)" 
| chart latest(usage) over id by Day 
| where Yesterday!=Today | table id Yesterday Today | sort Today

Is there a way to limit the result to a certain number?
I tried | sort 5 Today .

| sort Today breaks when I add a limit - as if it stops sorting by Today and starts sorting by id.
When I use sort 5 Now it results in sorting by id while I actually want to sort by usage in Today column. Is that possible?

Thank you.

Tags (2)
0 Karma
Reply

to4kawa
Ultra Champion
‎03-17-2020 12:57 PM 
source=foo resource=foobar
earliest=-1d@d latest=now
| eval Day=if(_time<relative_time(now(),"@d"),"Yesterday","Today")
| rex max_match=0 "(?:'id': )(?P<id>[^,]+)|(?:'usage': )(?P<usage>[^,]+)" 
| chart latest(usage) over id by Day 
| streamstats count(eval(Yesterday!=Today)) as session
| where Yesterday!=Today AND session < 6
| table id Yesterday Today

see https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Chart

  • limit
    • Syntax: limit=
    • Description: Only valid when a column-split is specified. Use the limit option to specify the number of results that should appear in the output. When you set limit=N the top N values are retained, based on the sum of each series. If limit=0, all results are returned.
0 Karma
Reply

nickrally2009
Explorer
‎03-17-2020 01:37 PM

@to4kawa, thanks, but I am afraid limit is not working. I saw a few posts on this forum that limit does not necessarily work with chart command, and also, per documentation, "The limit and agg options are ignored if an explicit where-clause is provided", and I have a where clause in my search. Also, it does not look like head works with my search either. I am looking for a way to sort by values of a column-split field, and limit the data points to a specific number.

0 Karma
Reply

to4kawa
Ultra Champion
‎03-17-2020 01:55 PM

If you need sort, try before streamstats

0 Karma
Reply

nickrally2009
Explorer
‎03-17-2020 02:17 PM

@to4kawa, thanks, I tried the search you suggested, using streamstats count as session but unfortunately it resulted in only one data point: Yesterday/Today group for only one id, and based on the value of id it is obvious that it is sorted by id, not a value in column-split field.

0 Karma
Reply

to4kawa
Ultra Champion
‎03-17-2020 02:24 PM

Have you try sort before streamstats?

0 Karma
Reply

nickrally2009
Explorer
‎03-17-2020 05:26 PM

yes, I did

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...