Skip to main content Link Menu Expand (external link) Document Search Copy Copied

Examples - Top N

Table of contents
  1. Top N: total
  2. Top N: within an interval of time

Top N: total 

function countBySource()
  search
  let source=f("@source"), timestamp=f("@timestamp")
  aggregate count=count() by source
  sort 10 count
end
stream eventCount=countBySource()

Related FPL command: search;f;aggregate;sort;stream

Top N: within an interval of time 

function countBySource()
  search
  let source=f("@source"), timestamp=f("@timestamp")
  timechart {span="1h", limit=10} count=count() by source
end

function sizeBySource()
  search
  let source=f("@source"), size=f("__size__"), timestamp=f("@timestamp")
  timechart {span="1h", limit=10} size=sum(size) by source
end

env from="-48h>h", to=">h"
stream eventCount=countBySource()
stream eventSize=sizeBySource()

Related FPL command: search;f;aggregate;stream;env;timechart