Reporting

Getting Max value over time in report

tsheets13
Communicator

I have a report that I'm having trouble making it do what I want it to.

It essentially reports 3 values, time of first event. servername, timevalueinmillisec

I can easily use table Time, server, ms and it works but of course gives me every event.

What I want is exactly this but I want the Maximum value of ms over 30 minutes.

It was proposed to me to use

timechart span=30m max(ms) as MS by server

and this of course returns the correct values, but it gives me a separate column for each server and then that max value in the row, like this....

_time sxx0045 sxx0048 p09ps0046 p09ps0049
2019-08-20 10:00:00 0.30 0.11 0.47 0.33

What I want ultimately should look like this

Time Server ms
10:29:31 08/20/2019 sxx0045 0.30
10:29:37 08/20/2019 sxx0048 0.11
10:30:02 08/20/2019 sxx0046 0.47
10:30:16 08/20/2019 sxx0049 0.33

Can anyone assist?

Thanks

0 Karma
1 Solution

diogofgm
SplunkTrust
SplunkTrust

After your search use the untable command.

your search... | untable _time server ms

More for the docs:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Untable

------------
Hope I was able to help you. If so, some karma would be appreciated.

View solution in original post

0 Karma

mayurr98
Super Champion

here you go :

your search .. | bin _time span=30m | stats max(ms) as MS by server _time

let me know if this helps!

0 Karma

diogofgm
SplunkTrust
SplunkTrust

After your search use the untable command.

your search... | untable _time server ms

More for the docs:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Untable

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

tsheets13
Communicator

I should Add, though my example results don't how this, Only want resulting columns for every half hour, since the output I'm looking for is the max(ms) over span of 30m.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...