Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

timechart rank by top 3 averages

Sukisen1981
Champion
‎04-11-2020 08:36 AM

I have streaming data, including fields called APPID and DURATION, here DURATION is the duration in ms for the APPID.
Now, I want a timechart which shows only the top 3 appids by average DURATION.
So, assume there are 10 events split across 4 APPIDs, something like this:

APPID   DURATION
appid1  10
appid2  20
appid3  30
appid1  40
appid1  50
appid4  60
appid2  70
appid4  80
appid3  90
appid2  100

In this case my avg of the timechart should show only APPIDs 2, 3, and4 since the average duration of these 3 are the top 3.
I know using eventstats i can get the avg by APPID, but am stuck at the ranking stage,,,

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎04-11-2020 01:31 PM 
| makeresults
| eval _raw="APPID DURATION
appid1 10
appid2 20
appid3 30
appid1 40
appid1 50
appid4 60
appid2 70
appid4 80
appid3 90
appid2 100"
| multikv
| timechart useother=f cont=f eval(round(avg(DURATION),2)) by APPID WHERE avg in top3

Hi, folks.
try timechart with where clause.

reference: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timechart

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-11-2020 01:48 PM

Like this:

| makeresults
| eval _raw="APPID DURATION
appid1 10
appid2 40
appid3 30
appid1 40
appid1 50
appid4 60
appid2 70
appid4 80
appid3 90
appid2 100"
| multikv forceheader=1
| table APPID DURATION

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| rename COMMENT AS "Calculate average by APPID"
| eventstats avg(DURATION) AS APP_DURATION BY APPID
| sort 0 - APP_DURATION APPID
| rename COMMENT AS "Calculate rank"
| streamstats dc(APPID) AS rank
| rename COMMENT "Account for ties"
| eventstats first(rank) AS rank BY APP_DURATION
| where rank < 4
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-11-2020 01:51 PM

NOTE: I modified your data to create a tie for rank number 1 so that you can see the need for it (probably all other answers will not work correctly).

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎04-11-2020 01:31 PM 
| makeresults
| eval _raw="APPID DURATION
appid1 10
appid2 20
appid3 30
appid1 40
appid1 50
appid4 60
appid2 70
appid4 80
appid3 90
appid2 100"
| multikv
| timechart useother=f cont=f eval(round(avg(DURATION),2)) by APPID WHERE avg in top3

Hi, folks.
try timechart with where clause.

reference: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timechart

Reply
Solved! Jump to solution

Sukisen1981
Champion
‎04-12-2020 10:24 AM

works...i must be really rusty and missed the use of the WHERE clause, many thanks

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎04-12-2020 12:04 AM

I forgot about where clause. Getting old!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-11-2020 02:00 PM

Nicely done.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎04-11-2020 10:57 AM

@Sukisen1981 try the following where sort by - AVG_DURATION is used to find top APPIDs using streamstats and filter results based on top 3:

 <yourCurrentSearch>
| fields _time APPID DURATION 
| eventstats avg(DURATION) as AVG_DURATION by APPID
| sort - AVG_DURATION
| streamstats dc(AVG_DURATION) as RANK_BY_AVG
| search RANK_BY_AVG IN (1,2,3)
| timechart avg(DURATION) as AVG_DURATION by APPID

Following is a run anywhere search based on the sample data provided (cont=f added to timechart for example perspective) :

| makeresults
| eval delta=300
| accum delta
| eval _time=_time-delta
| fields - delta
| eval data="appid1,10;appid2,20;appid3,30;appid1,40;appid1,50;appid4,60;appid2,70;appid4,80;appid3,90;appid2,100"
| makemv data delim=";"
| mvexpand data
| makemv data delim=","
| eval APPID=mvindex(data,0), DURATION=mvindex(data,1)
| fields _time APPID DURATION
| eventstats avg(DURATION) as AVG_DURATION by APPID
| sort - AVG_DURATION
| streamstats dc(AVG_DURATION) as RANK_BY_AVG
| search RANK_BY_AVG IN (1,2,3)
| timechart avg(DURATION) as AVG_DURATION by APPID cont=f

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...