Splunk Search

Top values of each span on a timechart

dsmc_adv
Path Finder

Hi,

We want the following search, but for each span of time:

index=test_index | chart sum(REQTIME) as reqtime by uri | table reqtime uri | sort -reqtime | head 5

We mean, for example to represent in a period of 1 hour for each span of 10 minutes the result of the previous search. We have tried to change the search to:

index=test_index | timechart eval(sum(REQTIME)/1000000) as reqtime by uri | sort -reqtime

But, in this case, the legend (field uri) is fixed for all span of time and the maximum values do not appear. The URIs are always the same. We have tried to fix the limit to 0 to show all URIs, but the problem is that the number of URIs is too high and the search doesn't finish.

What we would like to see is a timechart representing the top 5 URIs with the highest value of REQTIME for every span of time.

Thanks,

Best Regards,

0 Karma

somesoni2
Revered Legend

Try somethin glike this

index=test_index | bucket span=1h _time | chart sum(REQTIME) as reqtime by _time uri  | sort _time -reqtime | streamstats count as rank by _time | where rank<=5 | fields - rank
0 Karma

dsmc_adv
Path Finder

hi,

we have tried this one too, but still all the uris appear in the representation. I have tried to explain the need a little bit more in the previous comment.
Thanks

0 Karma

woodcock
Esteemed Legend

Maybe like this:

index=test_index [index=test_index | chart sum(REQTIME) as reqtime by uri | sort 5 -reqtime | table uri]| timechart eval(sum(REQTIME)/1000000) as reqtime by uri | sort -reqtime
0 Karma

woodcock
Esteemed Legend

If I understand your clarification, you would like see the top 5 URIs for each hour inside of a 24-hour search.

index=test_index | timechart span=1h eval(sum(REQTIME)/1000000) AS reqtime BY uri | sort 0 -reqtime
| streamstats current=t count AS serial BY _time | where serial <= 5
0 Karma

somesoni2
Revered Legend

The timechart would not give a column reqtime but each uri would be one column. I guess you want to use bucket-chart combination here.

0 Karma

dsmc_adv
Path Finder

Hi,

We have tried with the following query:

index=test_index [search index=test_index | chart sum(REQTIME) as reqtime by uri | sort 5 -reqtime | table uri] | timechart eval(sum(REQTIME)/1000000) as reqtime span=1h by uri | sort -reqtime

But it doesn't works as it only displays the evolution of the same 5 uris. The problem we have is that the top 5 uris are different in a period of 24h if we take a look at every specific bucket of 1 hour.
This option is not working for us, but thanks!

0 Karma

dsmc_adv
Path Finder

Thanks, I'm going to try to expain it with an example.

Let's say we have 10 different Uris in our data and we want to display the top 3 uris of a full day in a span of one hour.

If you consider the period as a whole, the top 3 uris within the 24h are Uri1 Uri2 and Uri3. With the standard options of splunk, what we would see if we put a limit in the timechart would be the data of uri1 uri2 and uri3 in the period of the 24h with the data of each span of 1 hour.

But the case we want to represent is the following:

Imagine that In the first bucket, the top 3 uris are Uri1 Uri2 and Uri3 with a high amount of data due to a problem, but then after that the problem is solved and the top 3 in the different hours are others.
In the second bucket the top 3 uris are uri5 Uri6 and Uri7 (i.e.). So, what we would like to see is which uris are top on each span of time (on each hour) and those could change as it is displayed in the example.

Thanks

0 Karma

woodcock
Esteemed Legend

I do not understand how you are trying to (re)qualify your search. If you can be more specific, perhaps with examples, I might be able to help.

0 Karma