Splunk Search

Top 10 for each date

bmer
Explorer

I have below splunk which gives result of top 10 only for a particular day and I know the reason why too. How can I tweak it to get top 10 for each date i.e. If I run the splunk on 14-Oct, the output must include 10-Oct, 11-Oct, 12.-Oct and 13-Oct each with top 10  table names with highest insert sum

 

 

 

index=myindex RecordType=abc DML_Action=INSERT earliest=-4d 
| bin _time span=1d 
| stats sum(numRows) as count by _time,table_Name 
| sort limit=10 +_time -count

 

 

 

 

Thanks in advance

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

No, more like this

index=myindex RecordType=abc DML_Action=INSERT earliest=-4d 
| bin _time span=1d 
| stats sum(numRows) as count by _time,table_Name 
| sort 0 +_time -count
| streamstats count as row by _time
| where row <= 10
| streamstats latest(count) as previous by table_Name window=1 global=f current=f
| eval increase=round(100*(count-previous)/previous,0)

The previous answer was based on the green table - since this is based on my first answer, combining the two should work for you (I removed the extra sort as this is redundant given the first sort.

View solution in original post

0 Karma

bmer
Explorer

Thanks @ITWhisperer This helps. Iam going to read more about streamstats command now.My desired output is as below where am trying to see daily % growth of data.For eg. The green colored table is the output I got from your modified splunk.I want to generate output as per other table where "daily % growth" (for each table in a date) formula is (120-100)/100 rounded to 0 as percentage output.

Is this something which can be achieved?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| sort 0 _time
| streamstats latest(count) as previous by Table_Name window=1 global=f current=f
| eval increase=round(100*(count-previous)/previous,0)
0 Karma

bmer
Explorer

@ITWhisperer did you mean the final splunk query would look like as below?

index=myindex RecordType=abc DML_Action=INSERT earliest=-4d 
| bin _time span=1d 
| stats sum(numRows) as count by _time,table_Name 
| sort limit=10 +_time -count
| sort 0 _time
| streamstats latest(count) as previous by Table_Name window=1 global=f current=f
| eval increase=round(100*(count-previous)/previous,0)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

No, more like this

index=myindex RecordType=abc DML_Action=INSERT earliest=-4d 
| bin _time span=1d 
| stats sum(numRows) as count by _time,table_Name 
| sort 0 +_time -count
| streamstats count as row by _time
| where row <= 10
| streamstats latest(count) as previous by table_Name window=1 global=f current=f
| eval increase=round(100*(count-previous)/previous,0)

The previous answer was based on the green table - since this is based on my first answer, combining the two should work for you (I removed the extra sort as this is redundant given the first sort.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
index=myindex RecordType=abc DML_Action=INSERT earliest=-4d 
| bin _time span=1d 
| stats sum(numRows) as count by _time,table_Name 
| sort 0 +_time -count
| streamstats count as row by _time
| where row <= 10
0 Karma

PickleRick
SplunkTrust
SplunkTrust

There is an easier way.

index=myindex RecordType=abc DML_Action=INSERT earliest=-4d 
| bin _time span=1d 
| stats sum(numRows) as count by _time,table_Name 
| sort 0 +_time -count
| dedup 10 _time
0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Splunk Enterprise Security 8.0 revolutionizes the SOC workflow experience from the ground up. Now security ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...