Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use eventstats to get the max value after using timechart?

ssaenger
Communicator
‎04-25-2016 07:02 AM

Hi All,

I am trying to gather transaction per second on my 4 servers for each day over a week.
I would like to sample every hour, but display the max value for that day.
However, the result I get is just the max value applied to each day.

When I table the values individually, I get the correct (ie different values), so I can see the total transaction for the hour. It's just when I introduce eventstats where I then get then same value entered for each hour.

index=int_rad sourcetype=int_rad_log start OR access OR stop | timechart count span=1h by host | eval TPS_rad1=(radhostp01/60)/60| eval TPS_rad2=(radhostp02/60)/60| eval TPS_rad3=(radhostp03/60)/60| eval TPS_rad4=(radhostp04/60)/60 | eventstats max(TPS_rad1) AS TPS_RAD1| eventstats max(TPS_rad2) AS TPS_RAD2 | eventstats max(TPS_rad3) AS TPS_RAD3| eventstats max(TPS_rad4) AS TPS_RAD4 |rename _time AS DATE| eval DATE=strftime(DATE, "%a %b %e") | table DATE TPS_RAD1,TPS_RAD2, TPS_RAD3, TPS_RAD4

DATE          TPS_RAD1    TPS_RAD2   TPS_RAD3     TPS_RAD4
Sun Apr 24  175.821238  84.812951   183.823877  24.492315
Sat Apr 23  175.821238  84.812951   183.823877  24.492315
Fri Apr 22  175.821238  84.812951   183.823877  24.492315
Thu Apr 21  175.821238  84.812951   183.823877  24.492315
Wed Apr 20  175.821238  84.812951   183.823877  24.492315
Tue Apr 19  175.821238  84.812951   183.823877  24.492315
Mon Apr 18  175.821238  84.812951   183.823877  24.49231

thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-25-2016 11:41 AM

You're missing the groupby clause in the eventstats. With no groupby, the result is just one row/one column which will repeated for all. What you're trying to achieve can be achieved by this.

index=int_rad sourcetype=int_rad_log start OR access OR stop | timechart count span=1h by host | eval TPS_rad1=(radhostp01/60)/60| eval TPS_rad2=(radhostp02/60)/60| eval TPS_rad3=(radhostp03/60)/60| eval TPS_rad4=(radhostp04/60)/60 | timechart span=1d max(TPS_RA*) as TPS_RA* | eval Date=strftime(_time,"%a %b %e") | table Date TPS_RAD*

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-25-2016 11:41 AM

You're missing the groupby clause in the eventstats. With no groupby, the result is just one row/one column which will repeated for all. What you're trying to achieve can be achieved by this.

index=int_rad sourcetype=int_rad_log start OR access OR stop | timechart count span=1h by host | eval TPS_rad1=(radhostp01/60)/60| eval TPS_rad2=(radhostp02/60)/60| eval TPS_rad3=(radhostp03/60)/60| eval TPS_rad4=(radhostp04/60)/60 | timechart span=1d max(TPS_RA*) as TPS_RA* | eval Date=strftime(_time,"%a %b %e") | table Date TPS_RAD*
Reply
Solved! Jump to solution

ssaenger
Communicator
‎04-28-2016 12:06 AM

thanks somesoni2,

this worked a treat!

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...