Sorry for delay, After bit tweaking in your last query, following worked for me:
index=myIndex | eval time=execution_time/1000000.0 | table object_name,time | sort -time | streamstats count by object_name | stats list(eval(if(count<11,execution_time,null()))) as Values by object_name
... View more
I have a collection of records in [object_name, execution_time] format. I want to gather top 10 (i.e. first 10 in sorted sequence) execution time values for each object.
I could extract execution times grouped by object name by
index=myindex | stats values(execTime) as MaxTime by objectName
But I could not find way to sort the individual groups and getting top 10 in each of them.
Looks like I did not explain the question well. Actually I have a database for how much time did the web service take to execute, in different calls. (I called web service as 'object_name' above). There are various web services.
e.g. I have web services w1,w2, .., wn. I have following records
[w1,e11] [w1,e12] [w1, e13] ... [w2,e21] [w2,e22] [w2,e23] .... [wn,en1] [wn,en2] [wn,en3] ....
e11 represents the time w1 took in its first call.
Now I want the following
w1: t11,t12, ...,t1n
w2: t21,t22, ...,t2n
t11, t12, t1n are top n for w1. Top n are the highest 'n' values of e11,e12,,e13 ... in sorted sequence.
e.g. If e11,e12,e13,... are ,8,8,8,8,10,7,7,7,9,9 then Top two are 10,9.
Now Splunk top function would not work here because I would give me 8,7 which are the most frequent two. I don't want that.
It's like list of students' scores in each subject. I want n highest scoring students for each subject. Hope that now it's clear.
... View more