- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have below splunk which gives result of top 10 only for a particular day and I know the reason why too. How can I tweak it to get top 10 for each date i.e. If I run the splunk on 14-Oct, the output must include 10-Oct, 11-Oct, 12.-Oct and 13-Oct each with top 10 table names with highest insert sum
index=myindex RecordType=abc DML_Action=INSERT earliest=-4d
| bin _time span=1d
| stats sum(numRows) as count by _time,table_Name
| sort limit=10 +_time -count
Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, more like this
index=myindex RecordType=abc DML_Action=INSERT earliest=-4d
| bin _time span=1d
| stats sum(numRows) as count by _time,table_Name
| sort 0 +_time -count
| streamstats count as row by _time
| where row <= 10
| streamstats latest(count) as previous by table_Name window=1 global=f current=f
| eval increase=round(100*(count-previous)/previous,0)
The previous answer was based on the green table - since this is based on my first answer, combining the two should work for you (I removed the extra sort as this is redundant given the first sort.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @ITWhisperer This helps. Iam going to read more about streamstats command now.My desired output is as below where am trying to see daily % growth of data.For eg. The green colored table is the output I got from your modified splunk.I want to generate output as per other table where "daily % growth" (for each table in a date) formula is (120-100)/100 rounded to 0 as percentage output.
Is this something which can be achieved?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| sort 0 _time
| streamstats latest(count) as previous by Table_Name window=1 global=f current=f
| eval increase=round(100*(count-previous)/previous,0)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ITWhisperer did you mean the final splunk query would look like as below?
index=myindex RecordType=abc DML_Action=INSERT earliest=-4d
| bin _time span=1d
| stats sum(numRows) as count by _time,table_Name
| sort limit=10 +_time -count
| sort 0 _time
| streamstats latest(count) as previous by Table_Name window=1 global=f current=f
| eval increase=round(100*(count-previous)/previous,0)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, more like this
index=myindex RecordType=abc DML_Action=INSERT earliest=-4d
| bin _time span=1d
| stats sum(numRows) as count by _time,table_Name
| sort 0 +_time -count
| streamstats count as row by _time
| where row <= 10
| streamstats latest(count) as previous by table_Name window=1 global=f current=f
| eval increase=round(100*(count-previous)/previous,0)
The previous answer was based on the green table - since this is based on my first answer, combining the two should work for you (I removed the extra sort as this is redundant given the first sort.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=myindex RecordType=abc DML_Action=INSERT earliest=-4d
| bin _time span=1d
| stats sum(numRows) as count by _time,table_Name
| sort 0 +_time -count
| streamstats count as row by _time
| where row <= 10
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is an easier way.
index=myindex RecordType=abc DML_Action=INSERT earliest=-4d
| bin _time span=1d
| stats sum(numRows) as count by _time,table_Name
| sort 0 +_time -count
| dedup 10 _time