Hi,
I'm new in Splunk (and my knowledge is very basic) and I have to build a complex dashboard with multiple indexes. I've tried googling it and I did not find anything related to my needs.
So, I have my index with a log file from a group of servers (farm) and that log is imported every 15min (96 files everyday).
My logfile has this name: source=ControlUp_Computers_11_22_2017_16_29_57 where "16_29_57" represents at what time it was imported to splunk.
In this case I have to SUM all the servers sessions every 15min
Source examples:
ControlUp_Computers_11_22_2017_16_29_57.csv
ControlUp_Computers_11_22_2017_16_44_59.csv
My search is:
Windows last 4 days
index=pt_app_it_controlup sourcetype="csv-computers"
| eval Disconnect = 'Disconnected Sessions' + 'Idle Sessions' + 'Other Sessions'
| timechart span=15min sum("User Sessions") as Total, sum(Active Sessions) as Active, sum(Disconnect) as Disconnected
| timechart span=1d max(Total), max(Active), max(Disconnected)
Output:
_time max(Total) max(Active) max(Disconnected)
20/11/2017 4197 3076 2784
21/11/2017 4243 3014 2803
22/11/2017 8601 6089 2849
23/11/2017 2570 2038 1824
Each logfile has the number of all sessions state, so I need to SUM all of them and then get the MAX of each days.
But all servers are grouped (by Folder)
With this search I have my results
index=pt_app_it_controlup sourcetype="csv-computers"
| eval Disconnect = 'Disconnected Sessions' + 'Idle Sessions' + 'Other Sessions'
| eval Folder =substr(Folder,22,25)
| timechart span=15min sum("User Sessions") as Total, sum(Active Sessions) as Active, sum(Disconnect) as Disconnected by Folder
Folder names (agentes, callcenters)
Output:
_time |Active: agentes |Active: callcenters |Disconnected: agentes |Disconnected: callcenters |Total: agentes |Total: callcenters
2017-11-24 00:00:00 |11 |54 |16 |584 |479 |638
2017-11-24 00:15:00 |9 |49 |11 |535 |449 |584
2017-11-24 00:30:00 |9 |45 |6 |439 |410 |484
Now I need to find the MAX of each day by Folder. But applying the 2nd timechart I can't get my results
index=pt_app_it_controlup sourcetype="csv-computers"
| eval Disconnect = 'Disconnected Sessions' + 'Idle Sessions' + 'Other Sessions'
| eval Folder =substr(Folder,22,25)
| timechart span=15m sum("User Sessions") as Total, sum(Active Sessions) as Active, sum(Disconnect) as Disconnected
| timechart span=1d max("Total"), max("Active"), max("Disconnected") by Folder
Can you help pointing me to the right direction?
Thanks!!!
Try like this
index=pt_app_it_controlup sourcetype="csv-computers"
| eval Disconnect = 'Disconnected Sessions' + 'Idle Sessions' + 'Other Sessions'
| eval Folder =substr(Folder,22,25)
| timechart span=15m sum("User Sessions") as Total, sum(Active Sessions) as Active, sum(Disconnect) as Disconnected
| timechart span=1d max(*) as *
Basically get max of each available columns with span=1d.
Hi,
It works, many tanks!!!
Meanwhile, also found a similar solution:
| bucket span=24h _time
| stats max(*) as * by _time
Try like this
index=pt_app_it_controlup sourcetype="csv-computers"
| eval Disconnect = 'Disconnected Sessions' + 'Idle Sessions' + 'Other Sessions'
| eval Folder =substr(Folder,22,25)
| timechart span=15m sum("User Sessions") as Total, sum(Active Sessions) as Active, sum(Disconnect) as Disconnected
| timechart span=1d max(*) as *
Basically get max of each available columns with span=1d.