Splunk Search

Displaying Peak message count per second for 24 hours over a month

madanashok
Path Finder

Hi Splunkers,

Can you please help me with query to show stats like this below

Date PeakMsgPersec(01Hr) PeakMsgPersec(02Hr).... PeakMsgPersec(023Hr)

18-oct-2012 3 4 3
17-oct-2012 2 2 4
.
.
.

1-oct-2012 2 3 3

I need to display like this in colourful table format.

Tags (1)
0 Karma

kristian_kolb
Ultra Champion

Spent too much time getting chart to show all columns....anyway, this is slightly shorter.

sourcetype=your_sourcetype earliest=@mon 
| bucket _time span=1s 
| stats c by _time
| eval day=strftime(_time, "%Y-%m-%d") 
| eval hour=strftime(_time, "%H") 
| chart max(c) over day by hour useother=false limit=24

Not too sure it's more efficient though...

madanashok
Path Finder

Thankyou very much jonuwz and kristian.Both the queries giving same results.I think, I got what is expected.I need to use summary indexing and let me check.

0 Karma

jonuwz
Influencer

This is very expensive if you have a lot of data.

You might want to think about summary indexing every hour if this is going to be a common thing.

* | bin _time span=1s | stats count by _time | bin _time span=1h | stats max(count) as count by _time | eval hour=relative_time(_time,"@h") | eval day=strftime(hour,"%Y-%m-%d") | eval hour=strftime(hour,"%H") | chart limit=0 first(count) as peak over day by hour

Ayn
Legend

I posted an answer, but redacted it because I've no idea how you get the PeakMsgPersec value? Is this something you already have, or do you need to calculate it first? If you want to check each second of a whole month, you're going to run into limits problems with timechart.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...