Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Top results for multiseries data

tcollyer
New Member
‎02-18-2014 02:14 PM

Hi there,

I'm charting multiseries data displayed in stacked columns with the following command:

stats dc(Process_Name) by
hostname,Company | xyseries
hostname,Company,dc(Process_Name)

This works fine, except for the fact that I now have over 5000 hosts (i.e. values for 'hostname') and I need a way to quickly display only the ones with the most number of processes (i.e. discrete values of 'Process_Name'). If I could make it work, something like 'top' or 'head' would be great:

stats dc(Process_Name) as processes by
hostname,Company|sort
hostname,-processes|head 50|xyseries
hostname,Company,processes

The sort command seems to provide unpredictable results though when it is preceded by a multi-value command (e.g. the B,C in 'stats(A) by B,C'). Can anyone offer me a way to view just the top 50 (or whatever) hosts when sorted by the number of processes?

Thanks for the help.

Tags (4)
0 Karma
Reply

somesoni2
Revered Legend
‎02-18-2014 02:26 PM

Try this

your base search | stats dc(Process_Name) by hostname,Company | sort hostname,-dc(Process_Name) | streamstats count by hostname | where count < 51 |xyseries hostname,Company,processes
0 Karma
Reply

tcollyer
New Member
‎02-19-2014 12:02 PM

Thanks for your suggestion. It gave me a number of things to try out and poke at, none of which worked unfortunately.

As far as I can tell, after I call "stats dc(Process_Name) by hostname,Company", everything has already been sorted by hostname and other attempts to reorder the data yield strange results. For instance, this:

base search | stats dc(Process_Name) by hostname,Company | sort -hostname | xyseries hostname,Company,dc(Process_Name)

gives sorts the hosts starting at 328 and goes up from there instead of starting at 1.

Streamstats seemed to have no effect at all. Other ideas?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...