Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

graph top 5 values but can be 5 different top values per minute

geertn444
New Member
‎04-24-2014 02:34 AM

I want to group events per minute, then analyse the top 5 number count of "clientsource" field and timegraph this. Note: every minute, there can be 5 other top values.
I have succeeded to get the values in a table,now i only need to timegraph them;

sourcetype=syslog | bucket _time span=1m | top 5 clientsource by _time

2014-04-24 09:52:00 10.101.4.124:1183 89 9.017224

2014-04-24 09:52:00 10.102.212.6:2830 66 6.686930

2014-04-24 09:52:00 10.102.222.166:1365 59 5.977710

2014-04-24 09:52:00 10.103.64.53:1789 57 5.775076

2014-04-24 09:52:00 10.97.28.219:4350 50 5.065856`

2014-04-24 09:53:00 10.97.194.240:3807 50 10.706638

2014-04-24 09:53:00 10.102.214.191:1287 43 9.207709

2014-04-24 09:53:00 10.102.194.216:2556 40 8.565310

2014-04-24 09:53:00 10.99.34.23:4548 31 6.638116

2014-04-24 09:53:00 10.99.6.121:2389 28 5.995717

2014-04-24 09:54:00 10.101.110.94:3075 48 8.013356

2014-04-24 09:54:00 10.107.6.123:4027 46 7.679466

2014-04-24 09:54:00 10.102.214.60:2106 41 6.844741

2014-04-24 09:54:00 10.97.134.10:1748 38 6.343907

2014-04-24 09:54:00 10.97.12.115:1245 38 6.343907

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-24-2014 04:21 AM

You can do this (adapted to run anywhere using _internal😞

index=_internal | bin span=1m _time | stats count by _time sourcetype
| sort - count | streamstats count as rank by _time | where rank <= 3
| fields - rank | sort + _time

For me that yields results like this:

_time sourcetype count
1 2014-04-24 12:58:00 splunkd 140
2 2014-04-24 12:58:00 splunkd_access 4
3 2014-04-24 12:58:00 website_monitoring_rest_handler-2 2
4 2014-04-24 12:59:00 jbridge-3 297
5 2014-04-24 12:59:00 splunk_web_service 194
6 2014-04-24 12:59:00 splunkd 164
7 2014-04-24 13:00:00 splunkd 156
8 2014-04-24 13:00:00 splunkd_access 29
9 2014-04-24 13:00:00 scheduler 5
10 2014-04-24 13:01:00 splunkd 164
11 2014-04-24 13:01:00 splunkd_access 6
12 2014-04-24 13:01:00 dbx_debug 2

As you can see, the "topping" down to three is done per minute, not overall. Adapted back to your data it should look something like this:

sourcetype=syslog | bin span=1m _time | stats count by _time clientsource
| sort - count | streamstats count as rank by _time | where rank <= 3
| fields - rank | sort + _time
0 Karma
Reply

linu1988
Champion
‎04-24-2014 03:31 AM

what do you exactly want to show on timechart? is it the count or the names of the clientsource? You need a numeric value to chart it just a heads up

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...