Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Graphing or bucketing a summary indexed query

Oren
Explorer
‎10-12-2010 06:42 PM

I've setup a summary index that works great. I usually use it like this:

index=summary search_name="Z - Top Domain - 15 minutes" | top 50 http_domain

When I run this query, it gives me three fields - the http_domain, the "count" which is the # of hits of that domain, and the percent of total. I'd like to graph the sum(count) by http_domain. I naively tried this, and of course failed hard. Attempts to use bucket have met with blank stares from the search engine as well.

It's clear the data is in there - if I run the query for 1 hour, I get 1 hour of results. Ideally then I could bucket the results each hour or equivalent.

Tags (1)
0 Karma
Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎10-13-2010 04:07 AM

How are you populating the summary index? If you're using "... | sitop http_domain" then the "... | top" is really the only valid thing you can do.

On the other hand, if you store the summary manually, say "... | stats count by http_domain", then you should be able to compute "... | timechart sum(count) by http_domain".

Calculating "... | top 50 http_domain" is a bit harder, say "... | stats sum(count) as count by http_domain | sort - count | head 50" and is even harder if you want percents, where you'll have to add "... | eventstats sum(count) as sum_count | eval percent = count / sum_count | fields - sum_count | ..." between the stats and the sort.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...