Solved: Top avg latencies by IP

tmarlette · ‎10-28-2013

I am attempting to get the top offenders of average latency, by their client IP, but limited to the top 50 results, sorted by their latency. This is the search that I have, but I can't figure our why it doesn't return any results. If I remove the 'top' command from the below query, it returns results, but it returns all of them, which isn't as helpful.

sourcetype=www NOT hck=* | stats avg(timetaken) by _time,clientip | top timetaken

any suggestions would be great! Thank you!

kristian_kolb · ‎10-28-2013

A few things;

top count occurrences, not high/low values.

stats removes all the other fields, so after that you only have _time, clientip and avg(timetaken).

Suggest the following;

sourcetype=www NOT hck=* | stats avg(timetaken) as TT by _time,clientip | stats max(TT) as XXXX by clientip | sort - XXXX | head 50

/K

View solution in original post

kristian_kolb · ‎10-28-2013

A few things;

top count occurrences, not high/low values.

stats removes all the other fields, so after that you only have _time, clientip and avg(timetaken).

Suggest the following;

sourcetype=www NOT hck=* | stats avg(timetaken) as TT by _time,clientip | stats max(TT) as XXXX by clientip | sort - XXXX | head 50

/K

Top avg latencies by IP

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability