Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Show min/max of one column with top/count

atamido
New Member
‎04-22-2014 10:40 AM

The data I have looks like this:

Time    Shape   Color
12:00   square  green
12:01   circle  blue
12:02   square  blue
12:03   circle  green
12:04   square  green
12:05   circle  blue
12:06   square  green
12:07   circle  blue
12:08   square  green
12:09   circle  green

I would like something similar to the TOP view that shows Shape/Color/Count/Percent. But I would also like to see the min/max of the times for each of those also, so I can see the first and last times of each of those combinations. So the outgoing chart might look like:

Shape   Color  Count  Percent  Begin  End
square  green      4      40%  12:00  12:08
circle  blue       3      30%  12:01  12:07
circle  green      2      20%  12:03  12:09
square  blue       1      10%  12:02  12:02
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-22-2014 10:48 AM

Try this:

base search | stats count as Count earliest(_time) as Begin latest(_time) as End by Shape Color 
| eventstats sum(Count) as Total | eval Percent = round(Count/Total*100,2)."%"
| table Shape Color Count Percent Begin End

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-22-2014 10:48 AM

Try this:

base search | stats count as Count earliest(_time) as Begin latest(_time) as End by Shape Color 
| eventstats sum(Count) as Total | eval Percent = round(Count/Total*100,2)."%"
| table Shape Color Count Percent Begin End
Reply
Solved! Jump to solution

atamido
New Member
‎04-22-2014 12:33 PM

Amazing, that's exactly what I wanted. I added some time converts and a sort to act just like TOP, and I'm done.

base search | stats count as Count earliest(_time) as Begin latest(_time) as End by Shape Color
| eventstats sum(Count) as Total | eval Percent = round(Count/Total*100,2)."%"
| convert ctime(Begin) as Begin | convert ctime(End) as End | sort Count DESC
| table Shape Color Count Percent Begin End

0 Karma
Reply
Get Updates on the Splunk Community!

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...