I want to tabulate peak period and low periods for my web transactions. The following search works but not very efficient
index=web GET OR POST | timechart span=1h count | sort count | head 1 | append [ search index=web GET OR POST | timechart span=1h count | sort count | tail 1]
Does anybody know better search to accomplish this?
Do you want to simply know what the lowest and highest values were? Or what they were and when they occurred?
If you simply want to know what the highest and lowest values were, then aelliot is absolutely correct. This search is what he suggested with the "(your search)" part included literally.
index=web GET OR POST | timechart span=1h count
| stats max(count) as max, min(count) as min
| table min,max
Something else that might work is this:
index=web GET OR POST | timechart span=1h count
| eventstats max(count) as high, min(count) as low
| where (count=low OR count=high)
| fields _time, count
You get the high and low, and when they occurred.
If neither of these are what you want, and if you cannot come up with something that works for you as a variation on one of these then perhaps you'll need to describe your actual request a little more verbosely.
Do you want to simply know what the lowest and highest values were? Or what they were and when they occurred?
If you simply want to know what the highest and lowest values were, then aelliot is absolutely correct. This search is what he suggested with the "(your search)" part included literally.
index=web GET OR POST | timechart span=1h count
| stats max(count) as max, min(count) as min
| table min,max
Something else that might work is this:
index=web GET OR POST | timechart span=1h count
| eventstats max(count) as high, min(count) as low
| where (count=low OR count=high)
| fields _time, count
You get the high and low, and when they occurred.
If neither of these are what you want, and if you cannot come up with something that works for you as a variation on one of these then perhaps you'll need to describe your actual request a little more verbosely.
The second search is what I am looking for and it works Thanks,
There's a max, min stats functions that may help you:
(your search)
| stats max(count) AS max min(count) AS min
| table min max
This one should work pretty well as I have tested it and verified :
index=web GET OR POST | bucket _time span=1h |stats count by _time | eventstats max(count) AS max_count min(count) AS min_count by _time | timechart max(max_count),min(min_count)
and a more simplified version:
index=web GET OR POST | bucket _time span=1h |stats count by _time | timechart max(count),min(count)
since the max and min in a given hour is exactly the same
You may find this post helpful as well (I believe dwaddle has something similar within his answer)
http://answers.splunk.com/answers/55271/report-hourly-max-count-events-per-day-over-a-month
Thanks for your quick response, but I am interested in finding Peak and low time periods and not the count values. The above search gives be max and min counts only