Hi,
i'm new to splunk and in need for a little help.
we can only access an index that was made for our department.
background:
we are extracting data by REST from our products to Splunk.
one of our data inputs is extracting the following details:
date & time, disk ID, disk Transfer
the data input is getting data every minute.
my problem is this:
for every minute i would like to get the top 10 disks with the highest transfer.
we tried to do something like this:
index=our_index source=... | timechart max(TRANSFER) by DISK_ID limit=10 | sort TRANSFER
what we ended up having is getting the current top 10 disks with the highest transfer rate and the history of them.
the problem is that at some points there must have been different disks that were making more transfer but Splunk isn't showing them because it is searching on the current disks and not on every minute.
i would like to get the data in a panel with the Statistics table visualization or the Column chart visualization.
can anyone assist?
↧