Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I get max for all events to use in timechart 1h span?

digable1
New Member
‎10-16-2019 12:36 PM

(this may be a duplicate, as I wrote a version of this question before registering and can't find it)

I have a situation where I have a have a column of values and want to use the maximum of all events as a value for use in a timechart by 1h span. Note: I'm a newbie.

For example: I have a column with the values [0, 73, 103, 171, 119] in my timechart 1h span - for 5 hours. I want to use the max value to populate all rows of another colum - in this case 171.

I tried the something like the following snippet, which of course didn't work (or I wouldn't be writing this):

              | eval myFlag= if(like(myString, "%My Message%"), "true", "false")
              | eval maxCount = 0
              | foreach * [eval maxCount = if(myFlag="true",  maxCount + 1, 0)]
              | timechart count(eval(myFlag=="true")) as errorCount, max(maxCount) as maxErrorCount span=1h

Help appreciated!

0 Karma
Reply

to4kawa
Ultra Champion
‎10-25-2019 03:22 PM 
| makeresults
| eval sample="0,73,103,171,119"
| makemv delim="," sample
| mvexpand sample
| streamstats count
| eval time_arg="+".count."h@h"
| eval time=relative_time(_time,time_arg)
| rename time as _time
| table _time sample count
`comment("this is sample data")`
| eval myFlag=if(count % 2 == 1,"true", "false")
| eventstats max(eval(if(myFlag=="false",sample,0))) as max_error_value, count(eval(myFlag=="false")) as error_count

Hi, all.
From the example sentence, this is the query.
However, it appears that there are other columns in the presented query.
I can't make an exact query without knowing what it is.

0 Karma
Reply

aberkow
Builder
‎10-25-2019 02:41 PM

I came up with this as a solution, but there are likely quite a few:

index=whatever earliest=-3m
| timechart count span=1m
| eventstats max(count) as maxCountOverTime

This doesn't take into account any of your evals, but effectively I got 3 buckets and then the eventstats took the highest one and slapped it on all the row's values for maxCountOverTime. eventstats basically does what stats does (does aggregation by buckets) but instead of filtering down to just that result set, it goes back to the previous one and adds the newly aggregated data where applicable. Docs can be found here https://docs.splunk.com/Documentation/Splunk/7.3.2/SearchReference/Eventstats.

Let me know if this helps!

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...