Solved: How to report a peak count per day based on a per ...

karlduncans · ‎02-25-2015

I'm trying to determine a way to report a peak per minute count per day (in this case, the last 30 days)

If i run this for a full 24 hour day, i get the peak for that one day:

index=foo source=bar
| bucket span=1m _time
| stats count by _time
| sort -count
| head 1

But if i run this for the last 5 days, i'll just get a single per minute peak for the total 5 day period, and what i need is the per-day peak tabled.

My ultimate goal in the end would be to average that 30d per minute peak, but that might need to be done in a separate search.

Thank you in advance!

allanw_splunk · ‎02-25-2015

Try this:

index=foo source=bar | timechart span=1m count | timechart span=1d max(count). This will give you the max count per minute for each day.

View solution in original post

ppablo · ‎03-11-2015

Hi @karlduncans

Just wanted to follow up with this post. Did @allanw_splunk's answer below solve your question? If yes, don't forget to officially accept it by clicking on "Accept" directly below his answer and also upvote it by clicking on the up arrow to the left of the answer.

allanw_splunk · ‎02-25-2015

Try this:

index=foo source=bar | timechart span=1m count | timechart span=1d max(count). This will give you the max count per minute for each day.

Vebloud · ‎02-12-2019

Is there a way how to get also a minute in which maximum happened? I am struggling to even come with and idea how to get it there.

Shashank_87 · ‎11-19-2019

@Vebloud @allanw_splunk - Are you able to figure it out how to add the minute in the table. I am also facing the same problem and wanting to know if you have figured out any solution for this

How to report a peak count per day based on a per minute count?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...