Solved: Top avg latencies by IP

tmarlette · ‎10-28-2013

I am attempting to get the top offenders of average latency, by their client IP, but limited to the top 50 results, sorted by their latency. This is the search that I have, but I can't figure our why it doesn't return any results. If I remove the 'top' command from the below query, it returns results, but it returns all of them, which isn't as helpful.

sourcetype=www NOT hck=* | stats avg(timetaken) by _time,clientip | top timetaken

any suggestions would be great! Thank you!

kristian_kolb · ‎10-28-2013

A few things;

top count occurrences, not high/low values.

stats removes all the other fields, so after that you only have _time, clientip and avg(timetaken).

Suggest the following;

sourcetype=www NOT hck=* | stats avg(timetaken) as TT by _time,clientip | stats max(TT) as XXXX by clientip | sort - XXXX | head 50

/K

View solution in original post

kristian_kolb · ‎10-28-2013

A few things;

top count occurrences, not high/low values.

stats removes all the other fields, so after that you only have _time, clientip and avg(timetaken).

Suggest the following;

sourcetype=www NOT hck=* | stats avg(timetaken) as TT by _time,clientip | stats max(TT) as XXXX by clientip | sort - XXXX | head 50

/K

Top avg latencies by IP

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation