- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to see the top 10 categories in each span of a...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i have stacked columns chart that covers 24h w. 1h spans
i use timechart's default limit=10 and get 10 categories + OTHER.
some spans in my graph are entirely made up of OTHER items.
this isn't very useful.
i would like to see the top 10 categories in each span not the top 10 for the entire duration of the chart imposed on spans.
is there a way to get the behaviour i'm after?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a way to do what you require - be wary - it might take EXCESSIVE amounts of time depending on your volume of information. Also - as written - this search is equivilent to "earliest=-1d@d latest=@d".
|gentimes start=-1 end=0 increment=1h | map maxsearches=24 search="search earliest=$starttime$ latest=$endtime$ <your_base_search> | bucket _time span=1h | top useother=t limit=10 <some_field> by _time | fields - percent" | timechart limit=0 sum(count) as "WIN" by <some_field>
replace <some_field> with your field, and <base_search> with your base search. Narrow down "base_search" as far as you can to be as specific as you can to keep this running smoothly.
Questions? Find me on #splunk IRC on efnet.org. alacer's the name.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a way to do what you require - be wary - it might take EXCESSIVE amounts of time depending on your volume of information. Also - as written - this search is equivilent to "earliest=-1d@d latest=@d".
|gentimes start=-1 end=0 increment=1h | map maxsearches=24 search="search earliest=$starttime$ latest=$endtime$ <your_base_search> | bucket _time span=1h | top useother=t limit=10 <some_field> by _time | fields - percent" | timechart limit=0 sum(count) as "WIN" by <some_field>
replace <some_field> with your field, and <base_search> with your base search. Narrow down "base_search" as far as you can to be as specific as you can to keep this running smoothly.
Questions? Find me on #splunk IRC on efnet.org. alacer's the name.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Another way is:
<your_base_search> | bucket _time span=1h | top 10 categories by _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
using top instead of stats - nice 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't have any in mind just this moment. There might be one. Yours is pretty slick, good job!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
alacercogitatus,
i started working off of what MuS suggested and came up with something almost identical to your suggestion except without gentime/map -
i think gentimes/map are redundant here - do you agree? do you have a scenario in mind where they would produce different results?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can set limit=0, sure. Then you won't be limiting the limits.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Shouldn't there be a limit=0 in the timechart at the end?
Also, be wary of huge numbers of hard-to-distinguish colours being used, up to 241 in fact.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi tomer,
timechart will calculate the top values for the particular metric overall.
If you want to show this for each hour try using something like this:
some_entry_type_text | bucket _time span=1h | chart count over _time by some_field
but still you will not get this kind of grouping for OTHER; you can use limit=xx to set a limit for chart or timechart to calculate the OTHERS.
Maybe this can help you to get the result you want; take this run everywhere command:
index=_internal | bucket _time span=1h | stats count by series, _time | chart limit=10 count over _time by series
this will stats the hourly buckets frist and use them in a chart, adopt it to your needs and see if it helps.
Like this:
some_entry_type_text | bucket _time span=1h | stats count by some_field, _time | chart limit=20 count over _time by some_field
cheers, Mus
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i'm not trying to remove OTHER.
i want to keep OTHER, but i want the decision about which items are included under OTHER to be made on a per-span basis (not per chart basis).
let's say host1 appears very few times in the 1st span, and many times in the 2nd span. i want it to be included under OTHER in the first span visualization, but i want to see it as its own category in the 2nd span.
my search looks likes this:
some_entry_type_text | timechart span=1h count by some_field
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you please post your search. If you are trying to remove OTHER values then palce useother=f at the end of the timechart command.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
