I have a report that I'm having trouble making it do what I want it to.
It essentially reports 3 values, time of first event. servername, timevalueinmillisec
I can easily use table Time, server, ms and it works but of course gives me every event.
What I want is exactly this but I want the Maximum value of ms over 30 minutes.
It was proposed to me to use
timechart span=30m max(ms) as MS by server
and this of course returns the correct values, but it gives me a separate column for each server and then that max value in the row, like this....
_time sxx0045 sxx0048 p09ps0046 p09ps0049
2019-08-20 10:00:00 0.30 0.11 0.47 0.33
What I want ultimately should look like this
Time Server ms
10:29:31 08/20/2019 sxx0045 0.30
10:29:37 08/20/2019 sxx0048 0.11
10:30:02 08/20/2019 sxx0046 0.47
10:30:16 08/20/2019 sxx0049 0.33
Can anyone assist?
Thanks
After your search use the untable
command.
your search... | untable _time server ms
More for the docs:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Untable
here you go :
your search .. | bin _time span=30m | stats max(ms) as MS by server _time
let me know if this helps!
After your search use the untable
command.
your search... | untable _time server ms
More for the docs:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Untable
I should Add, though my example results don't how this, Only want resulting columns for every half hour, since the output I'm looking for is the max(ms) over span of 30m.