Splunk Search

Top 10 for each date


I have below splunk which gives result of top 10 only for a particular day and I know the reason why too. How can I tweak it to get top 10 for each date i.e. If I run the splunk on 14-Oct, the output must include 10-Oct, 11-Oct, 12.-Oct and 13-Oct each with top 10  table names with highest insert sum




index=myindex RecordType=abc DML_Action=INSERT earliest=-4d 
| bin _time span=1d 
| stats sum(numRows) as count by _time,table_Name 
| sort limit=10 +_time -count





Thanks in advance

Labels (2)
0 Karma
1 Solution


No, more like this

index=myindex RecordType=abc DML_Action=INSERT earliest=-4d 
| bin _time span=1d 
| stats sum(numRows) as count by _time,table_Name 
| sort 0 +_time -count
| streamstats count as row by _time
| where row <= 10
| streamstats latest(count) as previous by table_Name window=1 global=f current=f
| eval increase=round(100*(count-previous)/previous,0)

The previous answer was based on the green table - since this is based on my first answer, combining the two should work for you (I removed the extra sort as this is redundant given the first sort.

View solution in original post

0 Karma


Thanks @ITWhisperer This helps. Iam going to read more about streamstats command now.My desired output is as below where am trying to see daily % growth of data.For eg. The green colored table is the output I got from your modified splunk.I want to generate output as per other table where "daily % growth" (for each table in a date) formula is (120-100)/100 rounded to 0 as percentage output.

Is this something which can be achieved?

0 Karma

| sort 0 _time
| streamstats latest(count) as previous by Table_Name window=1 global=f current=f
| eval increase=round(100*(count-previous)/previous,0)
0 Karma


@ITWhisperer did you mean the final splunk query would look like as below?

index=myindex RecordType=abc DML_Action=INSERT earliest=-4d 
| bin _time span=1d 
| stats sum(numRows) as count by _time,table_Name 
| sort limit=10 +_time -count
| sort 0 _time
| streamstats latest(count) as previous by Table_Name window=1 global=f current=f
| eval increase=round(100*(count-previous)/previous,0)
0 Karma


No, more like this

index=myindex RecordType=abc DML_Action=INSERT earliest=-4d 
| bin _time span=1d 
| stats sum(numRows) as count by _time,table_Name 
| sort 0 +_time -count
| streamstats count as row by _time
| where row <= 10
| streamstats latest(count) as previous by table_Name window=1 global=f current=f
| eval increase=round(100*(count-previous)/previous,0)

The previous answer was based on the green table - since this is based on my first answer, combining the two should work for you (I removed the extra sort as this is redundant given the first sort.

0 Karma

index=myindex RecordType=abc DML_Action=INSERT earliest=-4d 
| bin _time span=1d 
| stats sum(numRows) as count by _time,table_Name 
| sort 0 +_time -count
| streamstats count as row by _time
| where row <= 10
0 Karma


There is an easier way.

index=myindex RecordType=abc DML_Action=INSERT earliest=-4d 
| bin _time span=1d 
| stats sum(numRows) as count by _time,table_Name 
| sort 0 +_time -count
| dedup 10 _time
0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

&#x1f48c; Keep the new year’s momentum going with our February lineup of Community Office Hours, Tech Talks, ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Incident Response: Reduce Incident Recurrence with Automated Ticket Creation

Culture extends beyond work experience and coffee roast preferences on software engineering teams. Team ...