Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Timechart along with top and sort

xbbj3nj
Path Finder
‎04-23-2014 11:24 AM

Hi ,

All I want do is to convert the below stats table into a timerange result.
I'm using a LDAP log and getting the top 20 entries values and sorting it based on nentries

index="q_ldap" | top limit=0 nentries | sort 20 -nentries
(this works like a charm)
nentries count
2345 9
234 8
23 7
2 11
1 100
. .
. .
. .
No I want to convert this to timeseries, where I need to the see the count for the largest nentries value over time.

Im trying below query, but no luck and Im scratching my head how to combine timechart and sort, any help would be highly appreciated.

index="q_ldap" | sort 20 -nentries| timechart limit=20 span=10m count by nentries

Tags (3)
0 Karma
Reply

linu1988
Champion
‎04-23-2014 12:24 PM

you loose timechart or you have to give up on sort both will not make sense.

index="q_ldap" [|search index="q_ldap" |dedup nentries|sort -nentries|head 20|table nentries]|timechart count by nentries

Updated: I have filtered out the entries from the parent dataset for the top 20 sorted nentries

Reply

linu1988
Champion
‎04-28-2014 02:11 PM

dedup nentries will take out all the time entries which has happened before, only latest one will be kept for search, won't it? so it's important to have the sub search to get the entries upon which the timechart will be done. Correct me if i am wrong.

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎04-24-2014 12:35 AM

sorry to interfere here 😉
I think this is a bit over done and can be reduced to a single search like this:

index="q_ldap" | dedup nentries | sort -nentries | head 20 | timechart count by nentries

it works with a run everywhere example like this:

index=_internal source=*metrics.log | dedup kb | sort 20 -kb | head 20 | timechart count by kb

Reply

linu1988
Champion
‎04-23-2014 11:01 PM

Feel free to mark it as answer 🙂

Reply

xbbj3nj
Path Finder
‎04-23-2014 02:47 PM

@linu1988 : Thank you so much, I had to do a minor tweak of your query to get my desired results

index="q_ldap"[|search index="q_ldap" |dedup nentries|sort 20 -nentries |head 20| table nentries ]| timechart limit=20 useother=f usenull=f count by nentries | sort by nentries

Thanks Again !!

0 Karma
Reply

linu1988
Champion
‎04-23-2014 12:49 PM

I have made some changes could you try it?

Reply

xbbj3nj
Path Finder
‎04-23-2014 12:31 PM

Thanks for that .. but to be clear on my need.. I'm filtering the whole lot of nentries 1st and then trying to sort based on the values of nentries, ie largest and not it's count.... so How do I apply filter for largest values in timechart ? say the result is 0,1,2,5,78,100,23,350...... and i want to show only the largest value in the timechart.. i.e 350,100,78 out of all

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...