Hi -
I am building a query as below:
sourcetype=my-data | eventstats count(request-id) as requestCountByService by remoteServiceName | where requestCountByService > 5000 | timechart count by remoteServiceName
The intent was only services that has more than 5000 requests in the given search time window. There are 2 problems that I want to fix:
top 5
to show the top 5 services that made the most requests.where
clause. I want to show them as 'OTHER` group.How should I update the search query? Thanks in advance!
Figured it out. Just use timechart directly:
sourcetype=my-data | eventstats count(request-id) as requestCountByService by remoteServiceName | timechart count by remoteServiceName limit=3
Figured it out. Just use timechart directly:
sourcetype=my-data | eventstats count(request-id) as requestCountByService by remoteServiceName | timechart count by remoteServiceName limit=3