Splunk Search

Top X and rare events X in one Report without join

Matthias_BY
Communicator

Hello,

i have a search like:

orders=* | transaction order_id

now i want to see the orders who took the longest time (stats max(duration) by order_id) and the one with the fastest (same with min(duration).

how to best display them in the same table. i want to have the fastest 10 and slowest 10. as transaction is an expensive search, i would prefer if i do not need to make a join and run the full search again and correlate them by _time for example. any ideas are welcome.

br
matthias

Tags (2)
0 Karma

MuS
SplunkTrust
SplunkTrust

Hi Matthias_BY

something like this should get you started:

   orders=* | transaction order_id maxspan=30s | eval longest = max(duration) | eval fastest = min(duration) | top longest fastest | table order_id longest fastest 

You can speedup transaction be adding maxspan, take here the longest time range you would expect for your orders to take. The command top limits by default to 10.

Hope this helps a bit.....

Cheers, MuS

0 Karma

MuS
SplunkTrust
SplunkTrust

Ok, just tried the eval and they work perfect as long as your field has numeric values.....

0 Karma

MuS
SplunkTrust
SplunkTrust

Can you provide some sample data, this was a simple guess and try

0 Karma

Matthias_BY
Communicator

hi,

i tried it but it does not work. the eval statements are wrong and do not work...

br

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...