Splunk Search
Highlighted

Top X and rare events X in one Report without join

Communicator

Hello,

i have a search like:

orders=* | transaction order_id

now i want to see the orders who took the longest time (stats max(duration) by order_id) and the one with the fastest (same with min(duration).

how to best display them in the same table. i want to have the fastest 10 and slowest 10. as transaction is an expensive search, i would prefer if i do not need to make a join and run the full search again and correlate them by _time for example. any ideas are welcome.

br
matthias

Tags (2)
0 Karma
Highlighted

Re: Top X and rare events X in one Report without join

SplunkTrust
SplunkTrust

Hi Matthias_BY

something like this should get you started:

   orders=* | transaction order_id maxspan=30s | eval longest = max(duration) | eval fastest = min(duration) | top longest fastest | table order_id longest fastest 

You can speedup transaction be adding maxspan, take here the longest time range you would expect for your orders to take. The command top limits by default to 10.

Hope this helps a bit.....

Cheers, MuS

0 Karma
Highlighted

Re: Top X and rare events X in one Report without join

Communicator

hi,

i tried it but it does not work. the eval statements are wrong and do not work...

br

0 Karma
Highlighted

Re: Top X and rare events X in one Report without join

SplunkTrust
SplunkTrust

Can you provide some sample data, this was a simple guess and try

0 Karma
Highlighted

Re: Top X and rare events X in one Report without join

SplunkTrust
SplunkTrust

Ok, just tried the eval and they work perfect as long as your field has numeric values.....

0 Karma