Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

find max of two averaged fields over a month of daily data

dang
Path Finder
‎03-07-2012 01:26 PM

I've got a very basic query which computes an average of some daily attempts to do something like this:

index=monitoring | timechart span=1d sum(done) as Success sum(try) as Attempt | eval Percent=round(Success*100/Attempt,2) | convert ctime(_time) as Date timeformat="%d %B" | fields - _time | fields Date Percent

I'm unclear how I could find the day with the highest value of "Percent" over a month's worth of daily valules. Would I need to create a summary index to handle this?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎03-07-2012 01:29 PM

You can find the single highest day by sorting by Percent, descending, and taking the first row:

index=monitoring
| timechart span=1d sum(done) as Success sum(try) as Attempt
| eval Percent=round(Success*100/Attempt,2)
| convert ctime(_time) as Date timeformat="%d %B"
| fields - _time
| fields Date Percent
| sort - Percent
| head 1

Alternately you can tag the highest row using eventstats and eval:

index=monitoring
| timechart span=1d sum(done) as Success sum(try) as Attempt
| eval Percent=round(Success*100/Attempt,2)
| convert ctime(_time) as Date timeformat="%d %B"
| fields - _time
| fields Date Percent
| eventstats max(Percent) as max_Percent
| eval is_highest = if(Percent == max_Percent, "yes", "no")

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎03-07-2012 01:29 PM

You can find the single highest day by sorting by Percent, descending, and taking the first row:

index=monitoring
| timechart span=1d sum(done) as Success sum(try) as Attempt
| eval Percent=round(Success*100/Attempt,2)
| convert ctime(_time) as Date timeformat="%d %B"
| fields - _time
| fields Date Percent
| sort - Percent
| head 1

Alternately you can tag the highest row using eventstats and eval:

index=monitoring
| timechart span=1d sum(done) as Success sum(try) as Attempt
| eval Percent=round(Success*100/Attempt,2)
| convert ctime(_time) as Date timeformat="%d %B"
| fields - _time
| fields Date Percent
| eventstats max(Percent) as max_Percent
| eval is_highest = if(Percent == max_Percent, "yes", "no")
0 Karma
Reply
Solved! Jump to solution

dang
Path Finder
‎03-07-2012 01:32 PM

Thanks, Stephen. I'll probably use the first example, but the second one will help me learn new stuff about streamstats.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...