Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Top 10 for each date

bmer
Explorer
‎10-13-2024 06:57 AM

I have below splunk which gives result of top 10 only for a particular day and I know the reason why too. How can I tweak it to get top 10 for each date i.e. If I run the splunk on 14-Oct, the output must include 10-Oct, 11-Oct, 12.-Oct and 13-Oct each with top 10  table names with highest insert sum

 

 

 

index=myindex RecordType=abc DML_Action=INSERT earliest=-4d 
| bin _time span=1d 
| stats sum(numRows) as count by _time,table_Name 
| sort limit=10 +_time -count

 

 

 

 

Thanks in advance

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-14-2024 02:55 AM

No, more like this

index=myindex RecordType=abc DML_Action=INSERT earliest=-4d 
| bin _time span=1d 
| stats sum(numRows) as count by _time,table_Name 
| sort 0 +_time -count
| streamstats count as row by _time
| where row <= 10
| streamstats latest(count) as previous by table_Name window=1 global=f current=f
| eval increase=round(100*(count-previous)/previous,0)

The previous answer was based on the green table - since this is based on my first answer, combining the two should work for you (I removed the extra sort as this is redundant given the first sort.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

bmer
Explorer
‎10-13-2024 08:55 PM

Thanks @ITWhisperer This helps. Iam going to read more about streamstats command now.My desired output is as below where am trying to see daily % growth of data.For eg. The green colored table is the output I got from your modified splunk.I want to generate output as per other table where "daily % growth" (for each table in a date) formula is (120-100)/100 rounded to 0 as percentage output.

Is this something which can be achieved?

Preview file
139 KB
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-14-2024 01:19 AM 
| sort 0 _time
| streamstats latest(count) as previous by Table_Name window=1 global=f current=f
| eval increase=round(100*(count-previous)/previous,0)
0 Karma
Reply
Solved! Jump to solution

bmer
Explorer
‎10-14-2024 02:31 AM

@ITWhisperer did you mean the final splunk query would look like as below?

index=myindex RecordType=abc DML_Action=INSERT earliest=-4d 
| bin _time span=1d 
| stats sum(numRows) as count by _time,table_Name 
| sort limit=10 +_time -count
| sort 0 _time
| streamstats latest(count) as previous by Table_Name window=1 global=f current=f
| eval increase=round(100*(count-previous)/previous,0)
0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-14-2024 02:55 AM

No, more like this

index=myindex RecordType=abc DML_Action=INSERT earliest=-4d 
| bin _time span=1d 
| stats sum(numRows) as count by _time,table_Name 
| sort 0 +_time -count
| streamstats count as row by _time
| where row <= 10
| streamstats latest(count) as previous by table_Name window=1 global=f current=f
| eval increase=round(100*(count-previous)/previous,0)

The previous answer was based on the green table - since this is based on my first answer, combining the two should work for you (I removed the extra sort as this is redundant given the first sort.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-13-2024 07:19 AM 
index=myindex RecordType=abc DML_Action=INSERT earliest=-4d 
| bin _time span=1d 
| stats sum(numRows) as count by _time,table_Name 
| sort 0 +_time -count
| streamstats count as row by _time
| where row <= 10
0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-14-2024 12:05 AM

There is an easier way.

index=myindex RecordType=abc DML_Action=INSERT earliest=-4d 
| bin _time span=1d 
| stats sum(numRows) as count by _time,table_Name 
| sort 0 +_time -count
| dedup 10 _time
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...