Hi Splunkers,
Can you please help me with query to show stats like this below
Date PeakMsgPersec(01Hr) PeakMsgPersec(02Hr).... PeakMsgPersec(023Hr)
18-oct-2012 3 4 3
17-oct-2012 2 2 4
.
.
.
1-oct-2012 2 3 3
I need to display like this in colourful table format.
Spent too much time getting chart to show all columns....anyway, this is slightly shorter.
sourcetype=your_sourcetype earliest=@mon
| bucket _time span=1s
| stats c by _time
| eval day=strftime(_time, "%Y-%m-%d")
| eval hour=strftime(_time, "%H")
| chart max(c) over day by hour useother=false limit=24
Not too sure it's more efficient though...
Thankyou very much jonuwz and kristian.Both the queries giving same results.I think, I got what is expected.I need to use summary indexing and let me check.
This is very expensive if you have a lot of data.
You might want to think about summary indexing every hour if this is going to be a common thing.
* | bin _time span=1s | stats count by _time | bin _time span=1h | stats max(count) as count by _time | eval hour=relative_time(_time,"@h") | eval day=strftime(hour,"%Y-%m-%d") | eval hour=strftime(hour,"%H") | chart limit=0 first(count) as peak over day by hour
I posted an answer, but redacted it because I've no idea how you get the PeakMsgPersec value? Is this something you already have, or do you need to calculate it first? If you want to check each second of a whole month, you're going to run into limits problems with timechart.