Splunk Search

Top 10 Event Counts with date/time of last event

Explorer

Guys,

Im looking to figure out a way to determine when the last event happened in a top ten report. For example:

5/12/2013 12:00 500 apples
5/12/2015 13:00 225 Pears
Etc.

I currently have the query:

host="Clerk" sourcetype="fruitStand" | top 10 fruit

I use the table visualization.

Tags (4)
0 Karma
1 Solution

Legend

Try this instead:

host="Clerk" sourcetype="fruitStand" 
| stats count latest(_time) as latestTime by fruit
| sort -count
| fieldformat latestTime=strftime(latestTime,"%x %X")
| head 10

If you really need the percentage, add the following:

host="Clerk" sourcetype="fruitStand" 
| stats count latest(_time) as latestTime by fruit
| eventstats sum(count) as TotalCount
| eval percent=round(count*100/TotalCount)
| fields - TotalCount
| fieldformat latestTime=strftime(latestTime,"%x %X")
| sort -count
| head 10

View solution in original post

Legend

Try this instead:

host="Clerk" sourcetype="fruitStand" 
| stats count latest(_time) as latestTime by fruit
| sort -count
| fieldformat latestTime=strftime(latestTime,"%x %X")
| head 10

If you really need the percentage, add the following:

host="Clerk" sourcetype="fruitStand" 
| stats count latest(_time) as latestTime by fruit
| eventstats sum(count) as TotalCount
| eval percent=round(count*100/TotalCount)
| fields - TotalCount
| fieldformat latestTime=strftime(latestTime,"%x %X")
| sort -count
| head 10

View solution in original post

Explorer

Thank you that worked perfectly

0 Karma