Splunk Search

How to apply a top/limit for each bucket in my search results?

pedroreys
New Member

For each request made to our app, we collect a log event that contains a uri and a response_time property.

I want to answer the following question:

For each day, what are the 5 uris with the highest average response time.

I was able to create a search to calculate the avg response time of each uri per day:

my_search
| bucket _time span=day
| stats avg(response_time) as avg_response_time by _time request_path

This creates daily buckets, but I don't know how to limit each bucket to contain only the top 5 avg_response_time for each day/bucket.

0 Karma
1 Solution

lguinn2
Legend

It is just a little different... (BTW, bucket + stats = timechart)

my_search
| timechart span=1d avg(response_time) as avg_response_time by request_path
| sort _time -avg_response_time
| streamstats count as seq_num by _time reset_on_change=t
| where seq_num <=5

View solution in original post

0 Karma

lguinn2
Legend

It is just a little different... (BTW, bucket + stats = timechart)

my_search
| timechart span=1d avg(response_time) as avg_response_time by request_path
| sort _time -avg_response_time
| streamstats count as seq_num by _time reset_on_change=t
| where seq_num <=5
0 Karma

pedroreys
New Member

Thanks, your streamstats usage got me where I needed. But I had to change the timechart back to bucket + stats to get the data in the format that I needed.

timechart would put the request_path values as columns, with bucket + stats I got a "request_path" column with each value becoming a row, exactly what I needed.

0 Karma

lguinn2
Legend

Got it! good catch...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...