Solved: How to apply a top/limit for each bucket in my sea...

pedroreys · ‎01-24-2017

For each request made to our app, we collect a log event that contains a uri and a response_time property.

I want to answer the following question:

For each day, what are the 5 uris with the highest average response time.

I was able to create a search to calculate the avg response time of each uri per day:

my_search
| bucket _time span=day
| stats avg(response_time) as avg_response_time by _time request_path

This creates daily buckets, but I don't know how to limit each bucket to contain only the top 5 avg_response_time for each day/bucket.

lguinn2 · ‎01-24-2017

It is just a little different... (BTW, bucket + stats = timechart)

my_search
| timechart span=1d avg(response_time) as avg_response_time by request_path
| sort _time -avg_response_time
| streamstats count as seq_num by _time reset_on_change=t
| where seq_num <=5

View solution in original post

lguinn2 · ‎01-24-2017

It is just a little different... (BTW, bucket + stats = timechart)

my_search
| timechart span=1d avg(response_time) as avg_response_time by request_path
| sort _time -avg_response_time
| streamstats count as seq_num by _time reset_on_change=t
| where seq_num <=5

pedroreys · ‎01-25-2017

Thanks, your streamstats usage got me where I needed. But I had to change the timechart back to bucket + stats to get the data in the format that I needed.

timechart would put the request_path values as columns, with bucket + stats I got a "request_path" column with each value becoming a row, exactly what I needed.

lguinn2 · ‎01-25-2017

Got it! good catch...

How to apply a top/limit for each bucket in my search results?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...