Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

stats query help !

kc_prane
Communicator
‎10-13-2023 10:26 AM

Hello,  I am searching to get results for each hour  top 1 max URL hits.  Iam using the below search but not getting results for each hour.

index=*  | fields Request_URL _time
| stats count as hits by Request_URL _time |bucket span=1h _time
| sort by hits desc
| head 1

Thanks in advance!

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎10-14-2023 12:49 AM

1. index=* is something that is very rarely a good idea. Be as specific about your search as you can to use resources effectively

2. It makes no sense to stats by time and only afterwards splitting into time-based buckets. For such case you should either bin first and then stats by _time or simply use timechart with a proper span.

3. As was already pointed out, head is not tbe way to go. The alternative to using dedup could be using stats first or last

So your final search could look like this

index=<be_specific_here>
| bin span=1h _time
| stats count by Request_URL _time
| sort _time count
| stats last(*) as * by _time

As an exercise you could try to solve the same problem using another approach - adding stats with eventstats and filtering with where

View solution in original post

Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎10-14-2023 12:49 AM

1. index=* is something that is very rarely a good idea. Be as specific about your search as you can to use resources effectively

2. It makes no sense to stats by time and only afterwards splitting into time-based buckets. For such case you should either bin first and then stats by _time or simply use timechart with a proper span.

3. As was already pointed out, head is not tbe way to go. The alternative to using dedup could be using stats first or last

So your final search could look like this

index=<be_specific_here>
| bin span=1h _time
| stats count by Request_URL _time
| sort _time count
| stats last(*) as * by _time

As an exercise you could try to solve the same problem using another approach - adding stats with eventstats and filtering with where

Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎10-13-2023 11:50 PM

Aside from mistaken use of head as @richgalloway points out, what is the reason to perform stats on _time before bucketing if your goal is to find maximum per hour?

index=*
| bucket _time span=1h
| stats count by _time Request_URL
| sort - count
| dedup _time
| sort _time

 

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-13-2023 11:10 AM

Rather than head 1, which returns the first of all results, try dedup _time, which will return the first result from each hour (because of the bucket and sort commands).

---
If this reply helps you, Karma would be appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...