Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Getting the max value of a sum in a summary index

bowesmana
SplunkTrust
SplunkTrust
‎02-12-2018 06:11 PM

I am having trouble getting the max of a sum'd field from a summary index.

I am creating the data with 

...
| eval OK=if(status<400,1,0)
| sistats count sum(OK) as OK by host, SystemId, Path, _time

so, I end up with the fields

psrsvd_ct_OK - the count of fields with the OK field
psrsvd_nc_OK - same as ct
psrsvd_sm_OK - the sum of the OK field

I can then do 

stats count as Count sum(OK) as OK

but I want to do 

stats max(OK) as Max

which would seem to be possible as it has the values to be able to do the sum, but it just returns 'nan'.

Using this

stats count(OK) sum(OK) as OK max(OK) as Max min(OK) as Min

gives me the correct count and correct sum, but nan for the max and min. I've tried using psrsvd_sm_OK but those fields don't seem to work, which doesn't surprise me.

Any ideas?

0 Karma
Reply

micahkemp
Champion
‎02-12-2018 06:39 PM

sistats aims to create the data in your summary index to enable the specific aggregations you specified when you ran it. You ran it for count and sum, so only those are available to run with stats.

I would suggest just using stats to create your summary index, thusly:

 | stats count sum(OK) as OK by host, SystemId, Path, _time

This defines specifically what you want your data to look like in your summary index, after which it's up to you to use those previously calculated aggregations properly to calculate your new aggregations.

And then when you need to perform your other stats, you have more granular control:

| stats sum(count) AS count, sum(OK) AS OK | eval avg=OK/count

or

| stats max(OK) AS Max
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎02-12-2018 07:08 PM

I can't use stats as I need to retain the ability to get percentiles and do dc() operations. I am looking to get a peak request count per minute, so I am bucketing the original data by 1m to get that original sum. I guess I could use eventstats to get the sum and then split by that field also, which would make it a new field in the SI, but just wondered why you couldn't use that existing sum value to get a max of it ...

0 Karma
Reply

micahkemp
Champion
‎02-12-2018 07:15 PM

In that case, just pass along all of the aggregations you want to be able to use to your sistats command.

| sistats count sum(OK) max(OK) by host, SystemId, Path, _time

sistats, by definition, limits your abilities with later stats to the aggregations you told it about at summary time.

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎02-12-2018 07:22 PM

max(OK) is only ever one, as it's used as a counter to count successful and failed requests, so it's the original aggregated sum of events per minute that I then need the max of.

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...