Solved: How to show the Report to display the Top 10 Max v...

rajeswariramar · ‎01-04-2018

Report to show the Top 10 Max values

I want the Report as below

IBD successcont Mintime Maxtime

IBD1 2 3000 11071

IBD2 2 2678 2265

etc

index=* sourcetype=VM_STATS ( Status=SUCCESS ) | stats count, max(TimeTaken) as max, MIN(TimeTaken) as MIN, avg(TimeTaken) as avg by IBD

i want to list the top 10 max values to be retrived....

can you please advice

harsmarvania57 · ‎01-04-2018

Hi,

Please try this

index=* sourcetype=VM_STATS ( Status=SUCCESS ) | stats count, max(TimeTaken) as max, MIN(TimeTaken) as MIN, avg(TimeTaken) as avg by IBD | sort 10 -max

View solution in original post

mayurr98 · ‎01-04-2018

hey try this!

index=* sourcetype=VM_STATS ( Status=SUCCESS ) | stats count, max(TimeTaken) as max, MIN(TimeTaken) as MIN, avg(TimeTaken) as avg by IBD | sort limit=10 max desc

you can use sort command and limit option to limit the number of top values!
Refer this doc.
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sort#Description

Let me know if this helps you!

harsmarvania57 · ‎01-04-2018

Hi,

Please try this

index=* sourcetype=VM_STATS ( Status=SUCCESS ) | stats count, max(TimeTaken) as max, MIN(TimeTaken) as MIN, avg(TimeTaken) as avg by IBD | sort 10 -max

How to show the Report to display the Top 10 Max values

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio