How to sort the results of a timechart top 5 clien...

tmurray3 · ‎12-17-2014

I have the following query to generate a list of the top 5 clients by volume percentage:

index=volume_hourly_summary report="keyvolumebyhour" | timechart span=1w sum(count) by clientkey limit=5| untable _time clientkey count|eventstats sum(count) as Total by _time|eval clientpercent=round(count*100/Total,2)| table _time,clientkey clientpercent| xyseries _time clientkey clientpercent

I have tried to get the results to be sorted by client percentage, but the output is always sorted by clientkey.

Any ideas?

Thanks in advance for your help!!

dounla2carlos · ‎01-16-2015

there is problem in your request
sum(count) the field count doesnt exist so you wont get any interesting result
If the output is always sorted by clientkey, its because of this: "timechart span=1w sum(count) by clientkey limit=5"
To have them sorted by Clientpercent you need have a count by Clientpercent n your request

gyslainlatsa · ‎12-19-2014

Hi tmurray3 ,
try use the sort command as below

index=volume_hourly_summary report="keyvolumebyhour" | timechart span=1w sum(count) by clientkey limit=5| untable _time clientkey count|eventstats sum(count) as Total by _time|eval clientpercent=round(count*100/Total,2)| table _time,clientkey clientpercent| xyseries _time clientkey clientpercent |sort -Clientpercent

sort -Clientpercent to sort in descending order

somesoni2 · ‎12-17-2014

With current query you're getting top 5 clientkey for every week and the clientkey may be different in every week. How many columns you get in the final result?

How to sort the results of a timechart top 5 clients list by client percentage?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor