- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Different values for each minute
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
i'm new to splunk and in need for a little help.
we can only access an index that was made for our department.
background:
we are extracting data by REST from our products to Splunk.
one of our data inputs is extracting the following details:
date & time, disk ID, disk Transfer
the data input is getting data every minute.
my problem is this:
for every minute i would like to get the top 10 disks with the highest transfer.
we tried to do something like this:
index=our_index source=... | timechart max(TRANSFER) by DISK_ID limit=10 | sort TRANSFER
what we ended up having is getting the current top 10 disks with the highest transfer rate and the history of them.
the problem is that at some points there must have been different disks that were making more transfer but Splunk isn't showing them because it is searching on the current disks and not on every minute.
i would like to get the data in a panel with the Statistics table visualization or the Column chart visualization.
can anyone assist?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
index=our_index source=... | bin span=1m _time | stats max(TRANSFER) as transfer by _time DISK_ID | sort _time - transfer | streamstats count by _time | where count <=10
*UPDATED*
index=our_index source=... | bin span=1m _time | stats max(TRANSFER) as transfer by _time DISK_ID | sort _time - transfer | streamstats count by _time | where count <=5 | eval count="DISK_".count | chart values(DISK_ID) as disk over _time by count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
index=our_index source=... | bin span=1m _time | stats max(TRANSFER) as transfer by _time DISK_ID | sort _time - transfer | streamstats count by _time | where count <=10
*UPDATED*
index=our_index source=... | bin span=1m _time | stats max(TRANSFER) as transfer by _time DISK_ID | sort _time - transfer | streamstats count by _time | where count <=5 | eval count="DISK_".count | chart values(DISK_ID) as disk over _time by count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey,
i have tried the suggestion and i think i was not saying what i search for very good.
let me give an example:
let's say that i want to get the top 5 disks with the most transfer.
i have 100 disks and i want to get the top 5 disks with the highest transfer rate for every minute.
i wish to get the following -
Date & Time DISK_ID1 DISK_ID2 DISK_ID3 DISK_ID4 DISK_ID5
### ###### ###### ####### #######
2016-09-12 10:58 DISK1 DISK64 DISK5 DISK9 DISK12
2016-09-12 10:59 DISK50 DISK32 DISK19 DISK20 DISK5
2016-09-12 11:00 DISK4 DISK27 DISK13 DISK89 DISK65
you can see that for every minute a different disk had the highest level of transfer.
i hope that now i wrote it better 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try the udpated answer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it worked!!
thank you 😄
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you forgot to put a hyphen before transfer (to sort in descending order of transfer rate).
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
