- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to limit results in a bar chart while stil...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to limit results in a bar chart while still sorting by one of the values of column-split field?
I have this search, where I am charting usage over id field (which is on x-axis) split by two columns - two values of Day field.
source=foo resource=foobar
earliest=-1d@d latest=now
| eval Day=if(_time<relative_time(now(),"@d"),"Yesterday","Today")
| rex max_match=0 "(?:'id': )(?P<id>[^,]+)|(?:'usage': )(?P<usage>[^,]+)"
| chart latest(usage) over id by Day
| where Yesterday!=Today | table id Yesterday Today | sort Today
Is there a way to limit the result to a certain number?
I tried | sort 5 Today .
| sort Today breaks when I add a limit - as if it stops sorting by Today and starts sorting by id.
When I use sort 5 Now it results in sorting by id while I actually want to sort by usage in Today column. Is that possible?
Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
source=foo resource=foobar
earliest=-1d@d latest=now
| eval Day=if(_time<relative_time(now(),"@d"),"Yesterday","Today")
| rex max_match=0 "(?:'id': )(?P<id>[^,]+)|(?:'usage': )(?P<usage>[^,]+)"
| chart latest(usage) over id by Day
| streamstats count(eval(Yesterday!=Today)) as session
| where Yesterday!=Today AND session < 6
| table id Yesterday Today
see https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Chart
- limit
- Syntax: limit=
- Description: Only valid when a column-split is specified. Use the limit option to specify the number of results that should appear in the output. When you set limit=N the top N values are retained, based on the sum of each series. If limit=0, all results are returned.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@to4kawa, thanks, but I am afraid limit is not working. I saw a few posts on this forum that limit does not necessarily work with chart command, and also, per documentation, "The limit and agg options are ignored if an explicit where-clause is provided", and I have a where clause in my search. Also, it does not look like head works with my search either. I am looking for a way to sort by values of a column-split field, and limit the data points to a specific number.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you need sort, try before streamstats
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@to4kawa, thanks, I tried the search you suggested, using streamstats count as session but unfortunately it resulted in only one data point: Yesterday/Today group for only one id, and based on the value of id it is obvious that it is sorted by id, not a value in column-split field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you try sort before streamstats?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes, I did
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
