Splunk Search
Highlighted

graph top 5 values but can be 5 different top values per minute

New Member

I want to group events per minute, then analyse the top 5 number count of "clientsource" field and timegraph this. Note: every minute, there can be 5 other top values.
I have succeeded to get the values in a table,now i only need to timegraph them;

sourcetype=syslog | bucket _time span=1m | top 5 clientsource by _time


2014-04-24 09:52:00 10.101.4.124:1183 89 9.017224

2014-04-24 09:52:00 10.102.212.6:2830 66 6.686930

2014-04-24 09:52:00 10.102.222.166:1365 59 5.977710

2014-04-24 09:52:00 10.103.64.53:1789 57 5.775076

2014-04-24 09:52:00 10.97.28.219:4350 50 5.065856`


2014-04-24 09:53:00 10.97.194.240:3807 50 10.706638

2014-04-24 09:53:00 10.102.214.191:1287 43 9.207709

2014-04-24 09:53:00 10.102.194.216:2556 40 8.565310

2014-04-24 09:53:00 10.99.34.23:4548 31 6.638116

2014-04-24 09:53:00 10.99.6.121:2389 28 5.995717


2014-04-24 09:54:00 10.101.110.94:3075 48 8.013356

2014-04-24 09:54:00 10.107.6.123:4027 46 7.679466

2014-04-24 09:54:00 10.102.214.60:2106 41 6.844741

2014-04-24 09:54:00 10.97.134.10:1748 38 6.343907

2014-04-24 09:54:00 10.97.12.115:1245 38 6.343907

Tags (1)
0 Karma
Highlighted

Re: graph top 5 values but can be 5 different top values per minute

Champion

what do you exactly want to show on timechart? is it the count or the names of the clientsource? You need a numeric value to chart it just a heads up

0 Karma
Highlighted

Re: graph top 5 values but can be 5 different top values per minute

SplunkTrust
SplunkTrust

You can do this (adapted to run anywhere using _internal😞

index=_internal | bin span=1m _time | stats count by _time sourcetype
| sort - count | streamstats count as rank by _time | where rank <= 3
| fields - rank | sort + _time

For me that yields results like this:

_time sourcetype count
1 2014-04-24 12:58:00 splunkd 140
2 2014-04-24 12:58:00 splunkd_access 4
3 2014-04-24 12:58:00 website_monitoring_rest_handler-2 2
4 2014-04-24 12:59:00 jbridge-3 297
5 2014-04-24 12:59:00 splunk_web_service 194
6 2014-04-24 12:59:00 splunkd 164
7 2014-04-24 13:00:00 splunkd 156
8 2014-04-24 13:00:00 splunkd_access 29
9 2014-04-24 13:00:00 scheduler 5
10 2014-04-24 13:01:00 splunkd 164
11 2014-04-24 13:01:00 splunkd_access 6
12 2014-04-24 13:01:00 dbx_debug 2

As you can see, the "topping" down to three is done per minute, not overall. Adapted back to your data it should look something like this:

sourcetype=syslog | bin span=1m _time | stats count by _time clientsource
| sort - count | streamstats count as rank by _time | where rank <= 3
| fields - rank | sort + _time
0 Karma