Splunk Search

How to use eventstats to get the max value after using timechart?

ssaenger
Communicator

Hi All,

I am trying to gather transaction per second on my 4 servers for each day over a week.
I would like to sample every hour, but display the max value for that day.
However, the result I get is just the max value applied to each day.

When I table the values individually, I get the correct (ie different values), so I can see the total transaction for the hour. It's just when I introduce eventstats where I then get then same value entered for each hour.

index=int_rad sourcetype=int_rad_log start OR access OR stop | timechart count span=1h by host | eval TPS_rad1=(radhostp01/60)/60| eval TPS_rad2=(radhostp02/60)/60| eval TPS_rad3=(radhostp03/60)/60| eval TPS_rad4=(radhostp04/60)/60 | eventstats max(TPS_rad1) AS TPS_RAD1| eventstats max(TPS_rad2) AS TPS_RAD2 | eventstats max(TPS_rad3) AS TPS_RAD3| eventstats max(TPS_rad4) AS TPS_RAD4 |rename _time AS DATE| eval DATE=strftime(DATE, "%a %b %e") | table DATE TPS_RAD1,TPS_RAD2, TPS_RAD3, TPS_RAD4

DATE          TPS_RAD1    TPS_RAD2   TPS_RAD3     TPS_RAD4
Sun Apr 24  175.821238  84.812951   183.823877  24.492315
Sat Apr 23  175.821238  84.812951   183.823877  24.492315
Fri Apr 22  175.821238  84.812951   183.823877  24.492315
Thu Apr 21  175.821238  84.812951   183.823877  24.492315
Wed Apr 20  175.821238  84.812951   183.823877  24.492315
Tue Apr 19  175.821238  84.812951   183.823877  24.492315
Mon Apr 18  175.821238  84.812951   183.823877  24.49231

thanks

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

You're missing the groupby clause in the eventstats. With no groupby, the result is just one row/one column which will repeated for all. What you're trying to achieve can be achieved by this.

index=int_rad sourcetype=int_rad_log start OR access OR stop | timechart count span=1h by host | eval TPS_rad1=(radhostp01/60)/60| eval TPS_rad2=(radhostp02/60)/60| eval TPS_rad3=(radhostp03/60)/60| eval TPS_rad4=(radhostp04/60)/60 | timechart span=1d max(TPS_RA*) as TPS_RA* | eval Date=strftime(_time,"%a %b %e") | table Date TPS_RAD*

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

You're missing the groupby clause in the eventstats. With no groupby, the result is just one row/one column which will repeated for all. What you're trying to achieve can be achieved by this.

index=int_rad sourcetype=int_rad_log start OR access OR stop | timechart count span=1h by host | eval TPS_rad1=(radhostp01/60)/60| eval TPS_rad2=(radhostp02/60)/60| eval TPS_rad3=(radhostp03/60)/60| eval TPS_rad4=(radhostp04/60)/60 | timechart span=1d max(TPS_RA*) as TPS_RA* | eval Date=strftime(_time,"%a %b %e") | table Date TPS_RAD*

ssaenger
Communicator

thanks somesoni2,

this worked a treat!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...