Worst X in timechart

Question

When you have a timechart, by default you get the largest 10 values, then everything else bucketed into OTHER.

Can anyone think of an effective way to get the smallest 10 (or X) in a timechart?

What I have is KBps, and I want to find the values that have the worst performance over time.

Answer 1

0

If you disable OTHER does that have the desired effect? Something like:

... | timechart useother=false limit=10 min(KBps) by host

link

answered 01 Dec '10, 01:17

bwooden ♦
2.9k●1●3●10
accept rate: 37%

I believe that would show the 10 largest minimums.

I thought of a hacky double search way...

but I was hoping for something more elegant.

(01 Dec '10, 01:32) vbumgarner

Answer 2

Sure. The answer to this question takes you back to the old clunky syntax for changing how many split-by values would be shown. The old syntax to change from 10 hosts to 50 hosts was:

<your search> | timechart count by host where sum in top50

and this was of course later streamlined to :

<your search> | timechart count by host limit=50

but the old verbose syntax still works, and indeed can can do "bottom50":

<your search> | timechart count by host where sum in bottom50

Worst X in timechart

Follow this question

Splunk Resources

Related questions