Solved: How to use stats command after top command.

rakshithreddy · ‎06-14-2017

Hi all
I am trying to do the following search.
which would result in Top 5 apiname values along with their apitime(avg,min,max) values included but unable to get the list the data.

index=cub source=xyz.log
|top limit=5 apiName
|stats avg(apiTime),min(apiTime),max(apiTime) by apiName

Thank you.

somesoni2 · ‎06-15-2017

After top you only left with 5 records of most occuring apiName, corresponding count and percentage. There is no apiTime field available so the stats fails. Try like this

index=cub source=xyz.log
|stats count avg(apiTime),min(apiTime),max(apiTime) by apiName
| eventstats sum(count) as total | eval perc=count*100/total
| sort 5 -count | fields - total

View solution in original post

woodcock · ‎06-15-2017

Like this:

index=cub source=xyz.log
[ index=cub source=xyz.log
| top limit=5 apiName 
| fields apiName ] 
| stats avg(apiTime) min(apiTime) max(apiTime) BY apiName

DalJeanis · ‎06-15-2017

Hmmm. Seems like it would be possible to substitute a tstats command into the subsearch that would make it more efficient than somesoni2's version, solely when there is a high cardinality for apiName and/or a longer time period that makes the stats expensive...

somesoni2 · ‎06-15-2017

After top you only left with 5 records of most occuring apiName, corresponding count and percentage. There is no apiTime field available so the stats fails. Try like this

index=cub source=xyz.log
|stats count avg(apiTime),min(apiTime),max(apiTime) by apiName
| eventstats sum(count) as total | eval perc=count*100/total
| sort 5 -count | fields - total

woodcock · ‎06-15-2017

This answer is better; mine is mainly for education because it is more like how you were trying to solve it (but don't use it).

How to use stats command after top command.

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability