Databases Reference
In-Depth Information
This scale looks in line with our one-hour query, as we are now looking at the event
count per minute.
Like in the
Calculating average requests per minute
section, we could also ignore
minutes that had no data. We could accomplish that as shown in the following code:
earliest=-24h sourcetype=impl_splunk_gen
| bucket span=1m _time
| stats count by _time
| timechart span=1h avg(count)
This approach does not penalize incomplete hours, for instance, the current hour.
The graph looks like this:
This gives us a better understanding of events for the
current
hour, but is arguably
not entirely truthful about the
first
hour in the graph.
Rebuilding top
The
top
command is very simple to use, but is actually doing a fair amount of
interesting work. I often start with
top
, then switch to
stats count
, but then wish
for something that
top
provides automatically. This exercise will show you how to
recreate all of the elements, so that you might pick and choose what you need.
Let's recreate the
top
command by using other commands.
Here is the query that we will replicate:
sourcetype="impl_splunk_gen" error
| top useother=t limit=5 logger user
Search WWH ::
Custom Search