Solved: How to edit my search to change a line graph into ...

pavanae · ‎10-27-2016

I have a search as follows:

My search | timechart span=1h limit=0 count by users

Which displays a line graph for the past 7 days. Now I'm looking to modify the search to display only the top 5 users (based on the event count) in a pie chart. How can I modify my search to get the result like that?

cmerriman · ‎10-27-2016

My search |top 5 users

that should do it, but it won't be hourly.

View solution in original post

cmerriman · ‎10-27-2016

My search |top 5 users

that should do it, but it won't be hourly.

pavanae · ‎10-27-2016

And how can I display a tabular format of those top 5 users activities considering activity is a common field for all the users next to that pie chart?

cmerriman · ‎10-27-2016

to show it with the hour try this:

 My search |bucket _time span=1h| stats count by user _time|eval date=strftime(_time,"%D %H:%M")|eval userHour=user+" - "+date|sort - count|head 5|fields userHour count

How to edit my search to change a line graph into pie chart to display only the top 5 results?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes