Solved: How to show the Report to display the Top 10 Max v...

rajeswariramar · ‎01-04-2018

Report to show the Top 10 Max values

I want the Report as below

IBD successcont Mintime Maxtime

IBD1 2 3000 11071

IBD2 2 2678 2265

etc

index=* sourcetype=VM_STATS ( Status=SUCCESS ) | stats count, max(TimeTaken) as max, MIN(TimeTaken) as MIN, avg(TimeTaken) as avg by IBD

i want to list the top 10 max values to be retrived....

can you please advice

harsmarvania57 · ‎01-04-2018

Hi,

Please try this

index=* sourcetype=VM_STATS ( Status=SUCCESS ) | stats count, max(TimeTaken) as max, MIN(TimeTaken) as MIN, avg(TimeTaken) as avg by IBD | sort 10 -max

View solution in original post

mayurr98 · ‎01-04-2018

hey try this!

index=* sourcetype=VM_STATS ( Status=SUCCESS ) | stats count, max(TimeTaken) as max, MIN(TimeTaken) as MIN, avg(TimeTaken) as avg by IBD | sort limit=10 max desc

you can use sort command and limit option to limit the number of top values!
Refer this doc.
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sort#Description

Let me know if this helps you!

harsmarvania57 · ‎01-04-2018

Hi,

Please try this

index=* sourcetype=VM_STATS ( Status=SUCCESS ) | stats count, max(TimeTaken) as max, MIN(TimeTaken) as MIN, avg(TimeTaken) as avg by IBD | sort 10 -max

How to show the Report to display the Top 10 Max values

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms