Splunk Search

graph top 5 values but can be 5 different top values per minute

geertn444
New Member

I want to group events per minute, then analyse the top 5 number count of "clientsource" field and timegraph this. Note: every minute, there can be 5 other top values.
I have succeeded to get the values in a table,now i only need to timegraph them;

sourcetype=syslog | bucket _time span=1m | top 5 clientsource by _time


2014-04-24 09:52:00 10.101.4.124:1183 89 9.017224

2014-04-24 09:52:00 10.102.212.6:2830 66 6.686930

2014-04-24 09:52:00 10.102.222.166:1365 59 5.977710

2014-04-24 09:52:00 10.103.64.53:1789 57 5.775076

2014-04-24 09:52:00 10.97.28.219:4350 50 5.065856`


2014-04-24 09:53:00 10.97.194.240:3807 50 10.706638

2014-04-24 09:53:00 10.102.214.191:1287 43 9.207709

2014-04-24 09:53:00 10.102.194.216:2556 40 8.565310

2014-04-24 09:53:00 10.99.34.23:4548 31 6.638116

2014-04-24 09:53:00 10.99.6.121:2389 28 5.995717


2014-04-24 09:54:00 10.101.110.94:3075 48 8.013356

2014-04-24 09:54:00 10.107.6.123:4027 46 7.679466

2014-04-24 09:54:00 10.102.214.60:2106 41 6.844741

2014-04-24 09:54:00 10.97.134.10:1748 38 6.343907

2014-04-24 09:54:00 10.97.12.115:1245 38 6.343907

Tags (1)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You can do this (adapted to run anywhere using _internal😞

index=_internal | bin span=1m _time | stats count by _time sourcetype
| sort - count | streamstats count as rank by _time | where rank <= 3
| fields - rank | sort + _time

For me that yields results like this:

_time sourcetype count
1 2014-04-24 12:58:00 splunkd 140
2 2014-04-24 12:58:00 splunkd_access 4
3 2014-04-24 12:58:00 website_monitoring_rest_handler-2 2
4 2014-04-24 12:59:00 jbridge-3 297
5 2014-04-24 12:59:00 splunk_web_service 194
6 2014-04-24 12:59:00 splunkd 164
7 2014-04-24 13:00:00 splunkd 156
8 2014-04-24 13:00:00 splunkd_access 29
9 2014-04-24 13:00:00 scheduler 5
10 2014-04-24 13:01:00 splunkd 164
11 2014-04-24 13:01:00 splunkd_access 6
12 2014-04-24 13:01:00 dbx_debug 2

As you can see, the "topping" down to three is done per minute, not overall. Adapted back to your data it should look something like this:

sourcetype=syslog | bin span=1m _time | stats count by _time clientsource
| sort - count | streamstats count as rank by _time | where rank <= 3
| fields - rank | sort + _time
0 Karma

linu1988
Champion

what do you exactly want to show on timechart? is it the count or the names of the clientsource? You need a numeric value to chart it just a heads up

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...