Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to see the top 10 categories in each span of a timechart, not for the entire duration of the chart?

tomer
Explorer
‎09-08-2014 03:34 AM

i have stacked columns chart that covers 24h w. 1h spans
i use timechart's default limit=10 and get 10 categories + OTHER.
some spans in my graph are entirely made up of OTHER items.
this isn't very useful.
i would like to see the top 10 categories in each span not the top 10 for the entire duration of the chart imposed on spans.
is there a way to get the behaviour i'm after?

Reply
1 Solution
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎09-08-2014 06:24 AM

This is a way to do what you require - be wary - it might take EXCESSIVE amounts of time depending on your volume of information. Also - as written - this search is equivilent to "earliest=-1d@d latest=@d". 

|gentimes start=-1 end=0 increment=1h | map maxsearches=24 search="search earliest=$starttime$ latest=$endtime$ <your_base_search> | bucket _time span=1h | top useother=t limit=10 <some_field> by _time | fields - percent" | timechart limit=0 sum(count) as "WIN" by <some_field>

replace <some_field> with your field, and <base_search> with your base search. Narrow down "base_search" as far as you can to be as specific as you can to keep this running smoothly.

Questions? Find me on #splunk IRC on efnet.org. alacer's the name.

View solution in original post

Reply
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎09-08-2014 06:24 AM

This is a way to do what you require - be wary - it might take EXCESSIVE amounts of time depending on your volume of information. Also - as written - this search is equivilent to "earliest=-1d@d latest=@d". 

|gentimes start=-1 end=0 increment=1h | map maxsearches=24 search="search earliest=$starttime$ latest=$endtime$ <your_base_search> | bucket _time span=1h | top useother=t limit=10 <some_field> by _time | fields - percent" | timechart limit=0 sum(count) as "WIN" by <some_field>

replace <some_field> with your field, and <base_search> with your base search. Narrow down "base_search" as far as you can to be as specific as you can to keep this running smoothly.

Questions? Find me on #splunk IRC on efnet.org. alacer's the name.

Reply
Solved! Jump to solution

moisesroth
Path Finder
‎11-16-2016 05:19 AM

Another way is:

<your_base_search> | bucket _time span=1h | top 10 categories by _time
0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎09-08-2014 07:40 AM

using top instead of stats - nice 🙂

0 Karma
Reply
Solved! Jump to solution

alacercogitatus
SplunkTrust
SplunkTrust
‎09-08-2014 07:25 AM

I don't have any in mind just this moment. There might be one. Yours is pretty slick, good job!

0 Karma
Reply
Solved! Jump to solution

tomer
Explorer
‎09-08-2014 07:01 AM

alacercogitatus,
i started working off of what MuS suggested and came up with something almost identical to your suggestion except without gentime/map -
| bucket _time span=1h | top limit=10 useother=t by _time | timechart span=1h limit=0 sum(count) by

i think gentimes/map are redundant here - do you agree? do you have a scenario in mind where they would produce different results?

Reply
Solved! Jump to solution

alacercogitatus
SplunkTrust
SplunkTrust
‎09-08-2014 06:56 AM

You can set limit=0, sure. Then you won't be limiting the limits.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎09-08-2014 06:51 AM

Shouldn't there be a limit=0 in the timechart at the end?

Also, be wary of huge numbers of hard-to-distinguish colours being used, up to 241 in fact.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎09-08-2014 05:30 AM

Hi tomer,

timechart will calculate the top values for the particular metric overall.
If you want to show this for each hour try using something like this:

  some_entry_type_text | bucket _time span=1h | chart count over _time by some_field

but still you will not get this kind of grouping for OTHER; you can use limit=xx to set a limit for chart or timechart to calculate the OTHERS.

Maybe this can help you to get the result you want; take this run everywhere command:

index=_internal | bucket _time span=1h | stats count by series, _time | chart limit=10 count over _time by series

this will stats the hourly buckets frist and use them in a chart, adopt it to your needs and see if it helps.

Like this:

some_entry_type_text | bucket _time span=1h | stats count by some_field, _time | chart limit=20 count over _time by some_field

cheers, Mus

Reply
Solved! Jump to solution

tomer
Explorer
‎09-08-2014 05:05 AM

i'm not trying to remove OTHER.
i want to keep OTHER, but i want the decision about which items are included under OTHER to be made on a per-span basis (not per chart basis).
let's say host1 appears very few times in the 1st span, and many times in the 2nd span. i want it to be included under OTHER in the first span visualization, but i want to see it as its own category in the 2nd span.

my search looks likes this:
some_entry_type_text | timechart span=1h count by some_field

0 Karma
Reply
Solved! Jump to solution

theouhuios
Motivator
‎09-08-2014 04:44 AM

Can you please post your search. If you are trying to remove OTHER values then palce useother=f at the end of the timechart command.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...