We want the following search, but for each span of time:
index=test_index | chart sum(REQTIME) as reqtime by uri | table reqtime uri | sort -reqtime | head 5
We mean, for example to represent in a period of 1 hour for each span of 10 minutes the result of the previous search. We have tried to change the search to:
index=test_index | timechart eval(sum(REQTIME)/1000000) as reqtime by uri | sort -reqtime
But, in this case, the legend (field uri) is fixed for all span of time and the maximum values do not appear. The URIs are always the same. We have tried to fix the limit to 0 to show all URIs, but the problem is that the number of URIs is too high and the search doesn't finish.
What we would like to see is a timechart representing the top 5 URIs with the highest value of REQTIME for every span of time.
Try somethin glike this
index=test_index | bucket span=1h _time | chart sum(REQTIME) as reqtime by _time uri | sort _time -reqtime | streamstats count as rank by _time | where rank<=5 | fields - rank
Maybe like this:
index=test_index [index=test_index | chart sum(REQTIME) as reqtime by uri | sort 5 -reqtime | table uri]| timechart eval(sum(REQTIME)/1000000) as reqtime by uri | sort -reqtime
If I understand your clarification, you would like see the top 5 URIs for each hour inside of a 24-hour search.
index=test_index | timechart span=1h eval(sum(REQTIME)/1000000) AS reqtime BY uri | sort 0 -reqtime | streamstats current=t count AS serial BY _time | where serial <= 5
We have tried with the following query:
index=test_index [search index=test_index | chart sum(REQTIME) as reqtime by uri | sort 5 -reqtime | table uri] | timechart eval(sum(REQTIME)/1000000) as reqtime span=1h by uri | sort -reqtime
But it doesn't works as it only displays the evolution of the same 5 uris. The problem we have is that the top 5 uris are different in a period of 24h if we take a look at every specific bucket of 1 hour.
This option is not working for us, but thanks!
Thanks, I'm going to try to expain it with an example.
Let's say we have 10 different Uris in our data and we want to display the top 3 uris of a full day in a span of one hour.
If you consider the period as a whole, the top 3 uris within the 24h are Uri1 Uri2 and Uri3. With the standard options of splunk, what we would see if we put a limit in the timechart would be the data of uri1 uri2 and uri3 in the period of the 24h with the data of each span of 1 hour.
But the case we want to represent is the following:
Imagine that In the first bucket, the top 3 uris are Uri1 Uri2 and Uri3 with a high amount of data due to a problem, but then after that the problem is solved and the top 3 in the different hours are others.
In the second bucket the top 3 uris are uri5 Uri6 and Uri7 (i.e.). So, what we would like to see is which uris are top on each span of time (on each hour) and those could change as it is displayed in the example.