Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to graph by other fields after a top 10?

lavaca
New Member
‎08-10-2015 11:01 AM

The fields I am interested in are: action (100+ values), customer (6 values), timeTaken (~continuous)

I would like to plot a bunch of graphs, but only from entries of the 10 most common actions across all customers.

For example, a column chart with each of these 10 actions along the x-axis, the 95th percentile of timeTaken on y, with stacking columns for each customer. So far I have tried:

top 10 action | chart perc95(timeTaken) by action, customer

This returns no results found, so I tried to create my own top 10 using sort and head:

stats count by action | sort -count | head 10 | chart perc96(timeTaken) by action,customer

I get what I expect after head 10, but then cannot plot the graph I need after that - it returns no results found.

Help would be very much appreciated! Thank you.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-10-2015 02:05 PM

Both top and stats in your command are removing the field timeTaken, hence when you try to chart using unavailable field timeTaken, it returns no rows.
Try something like this (the subsearch gets the top 10 action for each customer, add that as filter, so that your chart will show data for those only)

your base search  [ your base search | stats count by action, customer | sort customer -count | streamstats  count as sno by customer | where sno<=10 | table customer action | format]  | chart perc96(timeTaken) by action,customer

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-10-2015 02:05 PM

Both top and stats in your command are removing the field timeTaken, hence when you try to chart using unavailable field timeTaken, it returns no rows.
Try something like this (the subsearch gets the top 10 action for each customer, add that as filter, so that your chart will show data for those only)

your base search  [ your base search | stats count by action, customer | sort customer -count | streamstats  count as sno by customer | where sno<=10 | table customer action | format]  | chart perc96(timeTaken) by action,customer
Reply
Solved! Jump to solution

lavaca
New Member
‎08-11-2015 06:33 AM

Thank you, a subsearch did the trick!

0 Karma
Reply
Solved! Jump to solution

bmacias84
Champion
‎08-10-2015 11:56 AM

You can use the map command.

... | top 10 customer | map search="search ... customer=$customer$ | chart perc95(timeTaken) by action, customer "
0 Karma
Reply
Get Updates on the Splunk Community!

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...