Hi~there,
The first search is quite simple, just extract top 10 stats count by src, so i use
my search | stats count by src | sort - count | head 10
but now i wanna use this top 10 src to separately list its top 50 events, how can I do this? Thanks in advance.
just like follows:
src, count, event
--- ----- -----
x.x.x.1 500 1.the first raw event
2.the second raw event
3.the third raw event
.
.
50.the 50th raw event
x.x.x.2 200 1.the first raw event
2.the second raw event
3.the third raw event
.
.
50.the 50th raw event
.
.
.
x.x.x.10 300 1.the first raw event
2.the second raw event
3.the third raw event
.
.
50.the 50th raw event
... | eventstats count by src | dedup 50 src sortby count,src | streamstats global=t current=t dc(src) as rank | where rank <= 10
Then, if you want to to display with nulls in your data, you can add:
... | dedup keepevents=t src,count
But that is purely for display purposes as it founds up your data. This will be rather more efficient than using a subsearch in your case, as it uses a single pass over the data rather than two passes.
streamstats means "Adds summary statistics to all search results in a streaming manner". but i don't really understand about streaming manner and its difference with eventstats.
This is a very good example of a situation where a subsearch can be used. Use your first search to single out the hosts with the most events, then feed those hosts into your outer search and generate the statistics:
* [my search | stats count by src | sort - count | head 10] | stats count,values(_raw) by src
More information on subsearches can be found in the docs:
http://www.splunk.com/base/Documentation/4.2.2/User/Subsearchtutorial
http://www.splunk.com/base/Documentation/latest/User/HowSubsearchesWork
here, i have doubt that if using values(_raw) how can i extract only head 50 raw event ? thanks