Top 10 for every timespan

AshimaE · ‎07-10-2017

I have data of mail sending activities of 1000s of customers and need to find the top 10 mail sending customers for every 10minutes for the customer data of the past 1 month. I need to create a stacked chart of the same. Any suggestions how this could be done. for the past 24hrs the top customers have been found as follows

 index=campaign_prod sourcetype=witness_stat_log virtualization=* earliest=-1d | dedup host| table host customer_name | join type=outer host [search index=campaign_prod sourcetype=mtachild_log message_type=info "sent"| stats count as email_count by host] | fillnull value=0 email_count | stats sum(email_count) as mail_count by customer_name | sort 0 -mail_count | head 20

gcusello · ‎07-10-2017

Hi AshimaE,
try something like this

index=campaign_prod sourcetype=witness_stat_log virtualization=* earliest=-1d 
| dedup host
| join type=outer host [ search 
    index=campaign_prod sourcetype=mtachild_log message_type=info "sent" 
   | stats count as email_count by host 
   ] 
| fillnull value=0 email_count 
| bin span=10m _time
| stats sum(email_count) as mail_count by customer_name, _time 
| sort 0 -mail_count 
| head 20

Bye.
Giuseppe

AshimaE · ‎07-10-2017

But this will give the top 20 overall while I want the top 10 or 20 for each timespan of the 1 month period.

Top 10 for every timespan

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All