Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Timechart along with top and sort

xbbj3nj
Path Finder
‎04-23-2014 11:24 AM

Hi ,

All I want do is to convert the below stats table into a timerange result.
I'm using a LDAP log and getting the top 20 entries values and sorting it based on nentries

index="q_ldap" | top limit=0 nentries | sort 20 -nentries
(this works like a charm)
nentries count
2345 9
234 8
23 7
2 11
1 100
. .
. .
. .
No I want to convert this to timeseries, where I need to the see the count for the largest nentries value over time.

Im trying below query, but no luck and Im scratching my head how to combine timechart and sort, any help would be highly appreciated.

index="q_ldap" | sort 20 -nentries| timechart limit=20 span=10m count by nentries

Tags (3)
0 Karma
Reply

linu1988
Champion
‎04-23-2014 12:24 PM

you loose timechart or you have to give up on sort both will not make sense.

index="q_ldap" [|search index="q_ldap" |dedup nentries|sort -nentries|head 20|table nentries]|timechart count by nentries

Updated: I have filtered out the entries from the parent dataset for the top 20 sorted nentries

Reply

linu1988
Champion
‎04-28-2014 02:11 PM

dedup nentries will take out all the time entries which has happened before, only latest one will be kept for search, won't it? so it's important to have the sub search to get the entries upon which the timechart will be done. Correct me if i am wrong.

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎04-24-2014 12:35 AM

sorry to interfere here 😉
I think this is a bit over done and can be reduced to a single search like this:

index="q_ldap" | dedup nentries | sort -nentries | head 20 | timechart count by nentries

it works with a run everywhere example like this:

index=_internal source=*metrics.log | dedup kb | sort 20 -kb | head 20 | timechart count by kb

Reply

linu1988
Champion
‎04-23-2014 11:01 PM

Feel free to mark it as answer 🙂

Reply

xbbj3nj
Path Finder
‎04-23-2014 02:47 PM

@linu1988 : Thank you so much, I had to do a minor tweak of your query to get my desired results

index="q_ldap"[|search index="q_ldap" |dedup nentries|sort 20 -nentries |head 20| table nentries ]| timechart limit=20 useother=f usenull=f count by nentries | sort by nentries

Thanks Again !!

0 Karma
Reply

linu1988
Champion
‎04-23-2014 12:49 PM

I have made some changes could you try it?

Reply

xbbj3nj
Path Finder
‎04-23-2014 12:31 PM

Thanks for that .. but to be clear on my need.. I'm filtering the whole lot of nentries 1st and then trying to sort based on the values of nentries, ie largest and not it's count.... so How do I apply filter for largest values in timechart ? say the result is 0,1,2,5,78,100,23,350...... and i want to show only the largest value in the timechart.. i.e 350,100,78 out of all

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...