Splunk Search

finding peak and low times from timechart

kunadkat
Explorer

I want to tabulate peak period and low periods for my web transactions. The following search works but not very efficient

index=web GET OR POST | timechart span=1h count | sort count | head 1 | append [ search index=web GET OR POST | timechart span=1h count | sort count | tail 1]

Does anybody know better search to accomplish this?

Tags (2)
1 Solution

dwaddle
SplunkTrust
SplunkTrust

Do you want to simply know what the lowest and highest values were? Or what they were and when they occurred?

If you simply want to know what the highest and lowest values were, then aelliot is absolutely correct. This search is what he suggested with the "(your search)" part included literally.

index=web GET OR POST | timechart span=1h count 
| stats max(count) as max, min(count) as min
| table min,max

Something else that might work is this:

index=web GET OR POST | timechart span=1h count 
| eventstats max(count) as high, min(count) as low
| where (count=low OR count=high)
| fields _time, count

You get the high and low, and when they occurred.

If neither of these are what you want, and if you cannot come up with something that works for you as a variation on one of these then perhaps you'll need to describe your actual request a little more verbosely.

View solution in original post

dwaddle
SplunkTrust
SplunkTrust

Do you want to simply know what the lowest and highest values were? Or what they were and when they occurred?

If you simply want to know what the highest and lowest values were, then aelliot is absolutely correct. This search is what he suggested with the "(your search)" part included literally.

index=web GET OR POST | timechart span=1h count 
| stats max(count) as max, min(count) as min
| table min,max

Something else that might work is this:

index=web GET OR POST | timechart span=1h count 
| eventstats max(count) as high, min(count) as low
| where (count=low OR count=high)
| fields _time, count

You get the high and low, and when they occurred.

If neither of these are what you want, and if you cannot come up with something that works for you as a variation on one of these then perhaps you'll need to describe your actual request a little more verbosely.

kunadkat
Explorer

The second search is what I am looking for and it works Thanks,

0 Karma

aelliott
Motivator

There's a max, min stats functions that may help you:

(your search)
| stats max(count) AS max min(count) AS min
| table min max

This one should work pretty well as I have tested it and verified :
index=web GET OR POST | bucket _time span=1h |stats count by _time | eventstats max(count) AS max_count min(count) AS min_count by _time | timechart max(max_count),min(min_count)

and a more simplified version:
index=web GET OR POST | bucket _time span=1h |stats count by _time | timechart max(count),min(count)

since the max and min in a given hour is exactly the same

aelliott
Motivator

You may find this post helpful as well (I believe dwaddle has something similar within his answer)
http://answers.splunk.com/answers/55271/report-hourly-max-count-events-per-day-over-a-month

0 Karma

kunadkat
Explorer

Thanks for your quick response, but I am interested in finding Peak and low time periods and not the count values. The above search gives be max and min counts only

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...