Solved: How to edit my search to get the sum of the maximu...

thefuzz4 · ‎04-13-2016

So I have my accurite weather sensor pumping its data into Splunk. (If you want to know how I did that just ask 🙂 ).

Anywho, I have this awesome dashboard that is basically like my own little weather station.

Now what I would like to do is be able to see how much precip we've had over the month.

Using some other answers I came up with this search string

index=main host=mimic* sourcetype=weather | bucket max(rain) span=day | stats sum(rain)

However, it's telling me that I've had 13" so far this month and I know that's not right. I think it's taking the sum of all of the values that are returned and going with it. I just want it to take the maximum value per day then sum all of that. Hmm I think I see my problem I need to alias the max rain.

Well tried to alias it, but now I get no results. Thank you all in advance for your help with this.

lguinn2 · ‎04-13-2016

This should work

index=main host=mimic* sourcetype=weather 
| bin _time span=1d 
| stats max(rain) as daily_rain by _time 
| stats sum(daily_rain) as monthly_rain

HTH

View solution in original post

lguinn2 · ‎04-13-2016

This should work

index=main host=mimic* sourcetype=weather 
| bin _time span=1d 
| stats max(rain) as daily_rain by _time 
| stats sum(daily_rain) as monthly_rain

HTH

thefuzz4 · ‎04-13-2016

Thank you very much that worked like a champ.

How to edit my search to get the sum of the maximum value per day for the month?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor