Solved: Re: Top 10 Event Counts with date/time of last eve...

mmester · ‎01-06-2013

Guys,

Im looking to figure out a way to determine when the last event happened in a top ten report. For example:

5/12/2013 12:00 500 apples
5/12/2015 13:00 225 Pears
Etc.

I currently have the query:

host="Clerk" sourcetype="fruitStand" | top 10 fruit

I use the table visualization.

lguinn2 · ‎01-06-2013

Try this instead:

host="Clerk" sourcetype="fruitStand" 
| stats count latest(_time) as latestTime by fruit
| sort -count
| fieldformat latestTime=strftime(latestTime,"%x %X")
| head 10

If you really need the percentage, add the following:

host="Clerk" sourcetype="fruitStand" 
| stats count latest(_time) as latestTime by fruit
| eventstats sum(count) as TotalCount
| eval percent=round(count*100/TotalCount)
| fields - TotalCount
| fieldformat latestTime=strftime(latestTime,"%x %X")
| sort -count
| head 10

View solution in original post

lguinn2 · ‎01-06-2013

Try this instead:

host="Clerk" sourcetype="fruitStand" 
| stats count latest(_time) as latestTime by fruit
| sort -count
| fieldformat latestTime=strftime(latestTime,"%x %X")
| head 10

If you really need the percentage, add the following:

host="Clerk" sourcetype="fruitStand" 
| stats count latest(_time) as latestTime by fruit
| eventstats sum(count) as TotalCount
| eval percent=round(count*100/TotalCount)
| fields - TotalCount
| fieldformat latestTime=strftime(latestTime,"%x %X")
| sort -count
| head 10

mmester · ‎01-06-2013

Thank you that worked perfectly

Top 10 Event Counts with date/time of last event

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms