Hi,
can anyone help me change this MSSQL type problem, into something i can get from Splunk! :
if i have a table (Data) containing:
Server Counter Value
1 1 1
1 2 2
1 3 3
2 1 3
2 2 4
2 3 7
3 1 18
3 2 0
3 3 2
In MSSQL i would write:
SELECT *
FROM (
SELECT *
,RN = ROW_NUMBER() OVER (PARTITION BY Counter ORDER BY Value DESC)
FROM #DATA
) a
WHERE RN<=2
RESULT:
Server Counter Value RN
3 1 18 1
2 1 3 2
2 2 4 1
1 2 2 2
1 3 3 2
2 3 7 1
Note - this only gives the first and second place - but the methodology is what i was showing. I can't find anything that allows groups and subsets of results to be returned from a search.
I'm not getting this data from SQL - it's just the only way i could think of to illustrate the problem. I'm looking to get a subset of perfmon values out of Splunk! based on what may be considered "badly performing machines" eg - 10 highest CPU percentages ,5 highest Disk Queues etc.
I'd prefer not to have to write separate searches for each counter also
Any ideas?
Thanks
Colin
... View more