For each request made to our app, we collect a log event that contains a uri and a response_time property.
I want to answer the following question:
For each day, what are the 5 uris with the highest average response time.
I was able to create a search to calculate the avg response time of each uri per day:
my_search
| bucket _time span=day
| stats avg(response_time) as avg_response_time by _time request_path
This creates daily buckets, but I don't know how to limit each bucket to contain only the top 5 avg_response_time for each day/bucket.
... View more