Splunk Search

Top X and rare events X in one Report without join

Matthias_BY
Communicator

Hello,

i have a search like:

orders=* | transaction order_id

now i want to see the orders who took the longest time (stats max(duration) by order_id) and the one with the fastest (same with min(duration).

how to best display them in the same table. i want to have the fastest 10 and slowest 10. as transaction is an expensive search, i would prefer if i do not need to make a join and run the full search again and correlate them by _time for example. any ideas are welcome.

br
matthias

Tags (2)
0 Karma

MuS
SplunkTrust
SplunkTrust

Hi Matthias_BY

something like this should get you started:

   orders=* | transaction order_id maxspan=30s | eval longest = max(duration) | eval fastest = min(duration) | top longest fastest | table order_id longest fastest 

You can speedup transaction be adding maxspan, take here the longest time range you would expect for your orders to take. The command top limits by default to 10.

Hope this helps a bit.....

Cheers, MuS

0 Karma

MuS
SplunkTrust
SplunkTrust

Ok, just tried the eval and they work perfect as long as your field has numeric values.....

0 Karma

MuS
SplunkTrust
SplunkTrust

Can you provide some sample data, this was a simple guess and try

0 Karma

Matthias_BY
Communicator

hi,

i tried it but it does not work. the eval statements are wrong and do not work...

br

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...