How to edit my timechart search to include the top...

jjasti · ‎05-15-2017

I want to raise an alert when the topmost field changes..

my weblog | implication prefix=geo client | time chart span=15m count by geoCountry

the above command gives several countries..but I only want one country (similar to top limit=1)
however timechart command doesn't seem to work with top command..

I want to monitor over a span of 15 min to see if the top requests from a country changes..

somesoni2 · ‎05-15-2017

Give this a try (assuming you run the search for last 30 mins)

my weblog | implication prefix=geo client | eval period=if(_time>=relative_time(now(),"-15m"),"current","previous")  
| stats count by period geoCountry | sort period -count | dedup period | stats values(geoCountry) as geoCountry | where mvcount(geoCountry)=2

This will return results if the top country for current (last 15 min) and previous (15 mins prior to last 15 min) period is different (last stats gives two values)

cmerriman · ‎05-15-2017

can you add something like:

|sort 0 _time - count|streamstats count as topCountry by _time|search topCountry=1

the streamstats should count 1,2,3,4.... for each country in order of highest to lowest count every 15 minute interval and then you search for the ones equal to 1 to get the top.

How to edit my timechart search to include the top command?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life