Splunk Search

Filter search result to only include events that has top N largest values

Findekano
Engager

Hi -

I am building a query as below:

sourcetype=my-data | eventstats count(request-id) as requestCountByService by remoteServiceName | where requestCountByService > 5000 | timechart count by remoteServiceName

The intent was only services that has more than 5000 requests in the given search time window. There are 2 problems that I want to fix:

  1. The hard coded number 5000 is not flexible. I would like to use something like top 5 to show the top 5 services that made the most requests.
  2. The query above will exclude the request made by other services that doesn't meet the where clause. I want to show them as 'OTHER` group.

How should I update the search query? Thanks in advance!

Tags (1)
0 Karma
1 Solution

Findekano
Engager

Figured it out. Just use timechart directly:

sourcetype=my-data | eventstats count(request-id) as requestCountByService by remoteServiceName | timechart count by remoteServiceName limit=3

View solution in original post

0 Karma

Findekano
Engager

Figured it out. Just use timechart directly:

sourcetype=my-data | eventstats count(request-id) as requestCountByService by remoteServiceName | timechart count by remoteServiceName limit=3

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...