Find Top N Value of Series - Example 1

Find top N value of series using the timeChart() function

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1{{Aggregate}} result{{Result Set}} repo --> 1 1 --> result
logscale
timeChart(series=key, function=max(value), limit=2)

Introduction

In this example, the timeChart() function is used to find the top 2 values of the key series and display the results in a Table Widget.

The limit parameter of timeChart() prioritizes the top N series. The top N value being the series with the highest numerical value attributed to it by the subquery across all fields. The selection is based on the numerical values produced by the subquery/function. When multiple functions are used, it considers all values produced. The selection process is not based on the series names (in this example key).

Example incoming data might look like this:

keyvalue
a42
b41
c40

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1{{Aggregate}} result{{Result Set}} repo --> 1 1 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    timeChart(series=key, function=max(value), limit=2)

    Groups data by time using the key field as the series identifier (each unique key value becomes a separate series), then calculates the maximum value for each series.

    Within each time bucket, it then takes highest calculated value for that key (series) and returns only the top 2 keys based on the calculated values in the new field named _max (generated by the max()).

  3. Event Result set.

Summary and Results

The query is used to find the Top 2 value of series and display the results in a Table Widget. In this example, the top 2 series are a and b, as they have the highest numerical value output by the subquery (which is max() in this case).

This method can be used to provide a top N table or bar chart when looking for highest or lowest entries for a given query. The query can be used, for example, to track top 2 highest-performing metrics, to monitor highest resource consumers (CPU, memory), or to analyze top performers over time etc.

Sample output from the incoming example data:

_bucketkey_max
1747109790000a42
1747109790000b41

The same input can output a different result if the timeChart() function is used with multiple functions. For more information, see Find Top N Value of Series - Example 2.