Hello Splunkians (?).
I have a table of data with 2 fields : host / data_used_mb / _timestamp
host data_used_mb _timestamp
H01 59 12:00
H01 78 13:00
...
H02 15 12:00
H02 20 13:00
...
H06 993 12:00
...
If I were to calculate the MAX of the last 24 hours data points (24 points) for EACH host by rolling them up,
How could I implement this? I looked into "tail" command, but it doesn't take it "by host", or "stats latest(data_used_mb)" which gives only the last point.
Any help from you gus would be highly appreciated!
Jack
Like this:
... | bucket _time span=1d | stats max(data_used_mb) by _time
Have you tried simply setting your time range picker to "Last 24 hours"?
If that doesn't work, look into fixing your timestamp extraction.
Hello! Try this: ... earliest=-30d| bucket _time span=1h| stats max(data_used_mb) by host _time
Like this:
... | bucket _time span=1d | stats max(data_used_mb) by _time
Okay, but what if I'm ONLY interested in the max of Last 24 points out of say 30 days of hourly data?
earliest=-30d | stats list(data_used_mb) AS data_used_mb by host | mvexpand data_used_mb limit=24 | stats max(data_used_mb) by host