Solved: timechart search question

frank_zhang · ‎10-04-2012

Hi,

My indexer receives the following network traffic stats in which value 3 and 4 of sys_report_id field indicates inbound and outbound traffic respectively.

_time                     host          sys_report_id   traffic
1 10/4/12 9:48:59.000 PM    host1.foo.com   4               503.283333
2   10/4/12 9:48:59.000 PM  host1.foo.com   3               4103.533333
3   10/4/12 9:48:56.000 PM  host2.foo.com   4               923.966102
4   10/4/12 9:48:56.000 PM  host2.foo.com   3               4554.000000
5   10/4/12 9:48:55.000 PM  host3.foo.com   4               4290.796296
6   10/4/12 9:48:55.000 PM  host3.foo.com   3               6284.962963
7   10/4/12 9:48:01.000 PM  host3.foo.com   4               4249.809524
8   10/4/12 9:48:01.000 PM  host3.foo.com   3               4970.936508
....

How can I generate a timechart search to return inbound and outbound traffic stats for top 5 hosts that generate the most combined (inbound+outbound) traffic? i.e., I'm expecting this search shows 10 lines (5 pairs) with a line chart.

Thanks in advance

Ayn · ‎10-04-2012

Use a subsearch to grab your top 5 hosts, then timechart based on those:

... [search ... | stats sum(traffic) by host | sort - host | head 5 | fields host] | timechart sum(traffic) by sys_report_id,host

View solution in original post

Ayn · ‎10-04-2012

Use a subsearch to grab your top 5 hosts, then timechart based on those:

... [search ... | stats sum(traffic) by host | sort - host | head 5 | fields host] | timechart sum(traffic) by sys_report_id,host

frank_zhang · ‎10-05-2012

Many thanks, Ayn. It solved my problems. Do you think there's any way to do this without having to use subsearch?

timechart search question

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!