Splunk Search

timechart but only for the top 5

hartfoml
Motivator

I want to use timechart to show a graph of the progress of an item so I use this command

| timechart span=1w count by plugin

the problem is I have too many plugins. I want to limit the chart to only the top 5 plugin's over the time period

So something like this but this dosn't work

| timecart span=1w top 5 plugin

Anyone know how to use top with timechart ??

Tags (1)
1 Solution

gkanapathy
Splunk Employee
Splunk Employee
| timecart span=1w limit=5 useother=f count by plugin

View solution in original post

hartfoml
Motivator

I got it thanks the right syntax to use for this is

| timechart useother=F span=1w limit=5 count by plugin

this says to useother=false so that other is not on the chart and the limit is 5

0 Karma

sbattista09
Contributor

would limit=5 show you the top 5 "plugin" or only limit it to some random 5 "plugins"? as in, would it show you the highest 5 counts of a "plugin"?

gkanapathy
Splunk Employee
Splunk Employee
| timecart span=1w limit=5 useother=f count by plugin

hartfoml
Motivator

thanks you beet me to it

0 Karma

kbrown9392
New Member

This does not seem to chart the top list, but a random list of 5. They are not the "top 5" in count, and not in order by count. How do we do that?

0 Karma

imrago
Contributor

You could try to use subsearch:

http://docs.splunk.com/Documentation/Splunk/latest/User/HowSubsearchesWork

Something like this:

index=* [search index=* | stats count by plugin | sort - count | head 5 | fields + plugin] | timechart span=1w count by plugin

0 Karma

hartfoml
Motivator

I'm going to try this to see how it comes out

0 Karma

hartfoml
Motivator

OK so i found out that LIMIT reduces to the top "n" number of items like this

 | timechart span=1w limit=5 count by plugin

this gives me the top 5 but puts in the other field with all the ones not in the top 5.

Anyone know how to not show other in the chart???

0 Karma

jtrimmings
Engager

useother=f

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...