For each request made to our app, we collect a log event that contains a uri and a response_time property.
I want to answer the following question:
For each day, what are the 5 uris with the highest average response time.
I was able to create a search to calculate the avg response time of each uri per day:
my_search
| bucket _time span=day
| stats avg(response_time) as avg_response_time by _time request_path
This creates daily buckets, but I don't know how to limit each bucket to contain only the top 5 avg_response_time for each day/bucket.
It is just a little different... (BTW, bucket + stats = timechart)
my_search
| timechart span=1d avg(response_time) as avg_response_time by request_path
| sort _time -avg_response_time
| streamstats count as seq_num by _time reset_on_change=t
| where seq_num <=5
It is just a little different... (BTW, bucket + stats = timechart)
my_search
| timechart span=1d avg(response_time) as avg_response_time by request_path
| sort _time -avg_response_time
| streamstats count as seq_num by _time reset_on_change=t
| where seq_num <=5
Thanks, your streamstats
usage got me where I needed. But I had to change the timechart
back to bucket + stats
to get the data in the format that I needed.
timechart
would put the request_path
values as columns, with bucket + stats
I got a "request_path" column with each value becoming a row, exactly what I needed.
Got it! good catch...