Solved: Top 10 for each date

bmer · ‎10-13-2024

I have below splunk which gives result of top 10 only for a particular day and I know the reason why too. How can I tweak it to get top 10 for each date i.e. If I run the splunk on 14-Oct, the output must include 10-Oct, 11-Oct, 12.-Oct and 13-Oct each with top 10 table names with highest insert sum

index=myindex RecordType=abc DML_Action=INSERT earliest=-4d 
| bin _time span=1d 
| stats sum(numRows) as count by _time,table_Name 
| sort limit=10 +_time -count

Thanks in advance

ITWhisperer · ‎10-14-2024

No, more like this

index=myindex RecordType=abc DML_Action=INSERT earliest=-4d 
| bin _time span=1d 
| stats sum(numRows) as count by _time,table_Name 
| sort 0 +_time -count
| streamstats count as row by _time
| where row <= 10
| streamstats latest(count) as previous by table_Name window=1 global=f current=f
| eval increase=round(100*(count-previous)/previous,0)

The previous answer was based on the green table - since this is based on my first answer, combining the two should work for you (I removed the extra sort as this is redundant given the first sort.

View solution in original post

bmer · ‎10-13-2024

Thanks @ITWhisperer This helps. Iam going to read more about streamstats command now.My desired output is as below where am trying to see daily % growth of data.For eg. The green colored table is the output I got from your modified splunk.I want to generate output as per other table where "daily % growth" (for each table in a date) formula is (120-100)/100 rounded to 0 as percentage output.

Is this something which can be achieved?

ITWhisperer · ‎10-14-2024

| sort 0 _time
| streamstats latest(count) as previous by Table_Name window=1 global=f current=f
| eval increase=round(100*(count-previous)/previous,0)

bmer · ‎10-14-2024

@ITWhisperer did you mean the final splunk query would look like as below?

index=myindex RecordType=abc DML_Action=INSERT earliest=-4d 
| bin _time span=1d 
| stats sum(numRows) as count by _time,table_Name 
| sort limit=10 +_time -count
| sort 0 _time
| streamstats latest(count) as previous by Table_Name window=1 global=f current=f
| eval increase=round(100*(count-previous)/previous,0)

ITWhisperer · ‎10-14-2024

No, more like this

index=myindex RecordType=abc DML_Action=INSERT earliest=-4d 
| bin _time span=1d 
| stats sum(numRows) as count by _time,table_Name 
| sort 0 +_time -count
| streamstats count as row by _time
| where row <= 10
| streamstats latest(count) as previous by table_Name window=1 global=f current=f
| eval increase=round(100*(count-previous)/previous,0)

The previous answer was based on the green table - since this is based on my first answer, combining the two should work for you (I removed the extra sort as this is redundant given the first sort.

ITWhisperer · ‎10-13-2024

index=myindex RecordType=abc DML_Action=INSERT earliest=-4d 
| bin _time span=1d 
| stats sum(numRows) as count by _time,table_Name 
| sort 0 +_time -count
| streamstats count as row by _time
| where row <= 10

PickleRick · ‎10-14-2024

There is an easier way.

index=myindex RecordType=abc DML_Action=INSERT earliest=-4d 
| bin _time span=1d 
| stats sum(numRows) as count by _time,table_Name 
| sort 0 +_time -count
| dedup 10 _time

Top 10 for each date

stats

timechart

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

Explore the Latest Educational Offerings from Splunk (November Releases)

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...