Hi all,
I'm looking to create a timechart from a very large dataset. I just want to count the occurrence of a custom value, then limit to the top 10 series which have the highest maximum within the time range. A regular timechart seems to average out the series I'm interested in because it only appears for a short time, even though it has a much higher peak value.
The docs for timechart seem to describe my issue under the "where clause" description:
Description: Specifies the criteria for including particular data series when a field is given in the tc-by-clause. The most common use of this option is to select for spikes rather than overall mass of distribution in series selection. The default value finds the top ten series by area under the curve. Alternately one could replace sum with max to find the series with the ten highest spikes.This has no relation to the where command.
I really cannot work out how I use this syntax to prefere maximums instead of sums.
Hi rowancoleman,
if I get your question correct, then you can use something like this to get the max count
for each attack_flow
:
| eval attack_flow = src_port + "->" + dst_ip | stats count by attack_flow, _time | timechart max(count) AS max by attack_flow useother=f usenull=f
the stats
will take care of the counting for each attack_flow
and the timechart
will display the max for each attack_flow
.
hope this helps ...
cheers, MuS
take a look at this example:
index=_internal source=*metrics.log series=splunkd* earliest=-24h@h | bucket _time span=1m | stats count as c_series by series, _time | timechart max(c_series) AS max min(c_series) AS min by series useother=f usenull=f
this will search the last 24 hours on index _internal for splunkd*
events in metrics.log
, create one minute buckets
, count
each occurrence of series in those buckets and displays a timechart
of max
and min
count for each series.
Adapt it to match your search and needs and your ready to go.
I tried to adapt your comment to fit my case, but it doesn't seem quite right: https://i.imgur.com/GjvilZn.png It seems like a very similar set of series were picked, but with the Y values squished by about 1/5. I posted a related question, could you please take a look if you're free? https://answers.splunk.com/answers/815185
Hi,
That doesn't seem to do it, I get odd results, and it runs very very slowly.
I can give an example of a search, but this is more of a general query.
This returns the top 10 'attack_flow' over a time range. But the top 10 is based on the sum count, rather than the max count.
can you post your search here.