Hi -
I am building a query as below:
sourcetype=my-data | eventstats count(request-id) as requestCountByService by remoteServiceName | where requestCountByService > 5000 | timechart count by remoteServiceName
The intent was only services that has more than 5000 requests in the given search time window. There are 2 problems that I want to fix:
- The hard coded number 5000 is not flexible. I would like to use something like
top 5 to show the top 5 services that made the most requests.
- The query above will exclude the request made by other services that doesn't meet the
where clause. I want to show them as 'OTHER` group.
How should I update the search query? Thanks in advance!
