https://community.splunk.com/t5/Getting-Data-In/List-hosts-with-highest-value/m-p/98727#M20660 <P>Thanks, but that is still not what I'm after. <CODE>useother</CODE> only affects the grouping of the hosts in the chart.</P> <P><CODE>timechart</CODE> is really not the answer here, since I'm not concerned about the values themselves, but which hosts had the max value at a particular time.</P> <P>Since I'm primarily interested in the hostnames, a chart is probably not the best visualization, but rather a table, with values about like this:</P> <PRE><CODE>time , host_with_highest_latency time n, host001.domain.com time m, host321.domain.com time l, host219.domain.com </CODE></PRE> Mon, 29 Oct 2012 15:10:13 GMT echalex 2012-10-29T15:10:13Z https://community.splunk.com/t5/Getting-Data-In/List-hosts-with-highest-value/m-p/98722#M20655 <P>Hi,</P> <P>We're debugging an issue where disk latency shoots up at a specific time. I would like to create a search which shows the host with the highest latency at any specific minute.</P> <P>So the base search is:</P> <PRE><CODE>index=os sourcetype=iostat | multikv fields avgWaitMillis </CODE></PRE> <P>...but then I'm not sure how to continue... I would like to find every host where avgWaitMillis is the highest for every minute.</P> Tue, 23 Oct 2012 10:05:11 GMT https://community.splunk.com/t5/Getting-Data-In/List-hosts-with-highest-value/m-p/98722#M20655 echalex 2012-10-23T10:05:11Z https://community.splunk.com/t5/Getting-Data-In/List-hosts-with-highest-value/m-p/98723#M20656 <P>I think you may want to pipe to the <CODE>timechart</CODE> command, which will allow you gain stats over time. You may be able to do something like:</P> <PRE><CODE>..| timechart span=1m max(avgWaitMillis) as maxWait </CODE></PRE> <P>I haven't used a split-by cause (don't think you'll need one), but if you need one, just add something like, "<CODE>by someField</CODE>" (where someField is a unique split-by-cause you have).</P> <P>Please see documentation:</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/4.3.4/SearchReference/Timechart">http://docs.splunk.com/Documentation/Splunk/4.3.4/SearchReference/Timechart</A><BR /> <A href="http://docs.splunk.com/Documentation/Splunk/4.3.4/SearchReference/CommonStatsFunctions">http://docs.splunk.com/Documentation/Splunk/4.3.4/SearchReference/CommonStatsFunctions</A></P> Tue, 23 Oct 2012 11:00:52 GMT https://community.splunk.com/t5/Getting-Data-In/List-hosts-with-highest-value/m-p/98723#M20656 MHibbin 2012-10-23T11:00:52Z https://community.splunk.com/t5/Getting-Data-In/List-hosts-with-highest-value/m-p/98724#M20657 <P>I'm afraid this doesn't do what I want at all.</P> <P>That will just show the max values of avgWaitMillis, without even mentioning the host.</P> <P>I want to know which host had the highest latency, not what the highest latency was.</P> <P>Doing the same <CODE>by host</CODE> doesn't help me either, for out of the hundred or so hosts, the majority will be lumped into <CODE>OTHER</CODE>. So knowing that one host of 90 in <CODE>OTHER</CODE> had the highest latency at 21:15 and 23:30 reveals nothing.</P> Tue, 23 Oct 2012 11:40:32 GMT https://community.splunk.com/t5/Getting-Data-In/List-hosts-with-highest-value/m-p/98724#M20657 echalex 2012-10-23T11:40:32Z https://community.splunk.com/t5/Getting-Data-In/List-hosts-with-highest-value/m-p/98725#M20658 <P>Thank you for your effort to help, never the less!</P> Tue, 23 Oct 2012 11:41:08 GMT https://community.splunk.com/t5/Getting-Data-In/List-hosts-with-highest-value/m-p/98725#M20658 echalex 2012-10-23T11:41:08Z https://community.splunk.com/t5/Getting-Data-In/List-hosts-with-highest-value/m-p/98726#M20659 <P>Have you tried adding <CODE>useother=f</CODE> (mentioned in the docs), like so:</P> <P><CODE>..| timechart span=1m max(avgWaitMillis) as maxWait by host useother=f</CODE></P> <P>I can't remember how specific the useother boolean needs to be, but you can also try <CODE>useother=false</CODE>, or the binary equivalent (e.g. "1" OR "0").</P> Tue, 23 Oct 2012 13:43:16 GMT https://community.splunk.com/t5/Getting-Data-In/List-hosts-with-highest-value/m-p/98726#M20659 MHibbin 2012-10-23T13:43:16Z https://community.splunk.com/t5/Getting-Data-In/List-hosts-with-highest-value/m-p/98727#M20660 <P>Thanks, but that is still not what I'm after. <CODE>useother</CODE> only affects the grouping of the hosts in the chart.</P> <P><CODE>timechart</CODE> is really not the answer here, since I'm not concerned about the values themselves, but which hosts had the max value at a particular time.</P> <P>Since I'm primarily interested in the hostnames, a chart is probably not the best visualization, but rather a table, with values about like this:</P> <PRE><CODE>time , host_with_highest_latency time n, host001.domain.com time m, host321.domain.com time l, host219.domain.com </CODE></PRE> Mon, 29 Oct 2012 15:10:13 GMT https://community.splunk.com/t5/Getting-Data-In/List-hosts-with-highest-value/m-p/98727#M20660 echalex 2012-10-29T15:10:13Z https://community.splunk.com/t5/Getting-Data-In/List-hosts-with-highest-value/m-p/98728#M20661 <P>To elaborate a bit on that sample table:</P> <P>At time n, the <CODE>avgWaitMillis</CODE> of host001 equals <CODE>max(avgWaitMillis)</CODE> of all hosts (at that time).</P> <P>Likewise, at time l, the <CODE>avgWaitMillis</CODE> of host219 == <CODE>max(avgWaitMillis)</CODE> of all hosts at that time.</P> Mon, 29 Oct 2012 15:12:25 GMT https://community.splunk.com/t5/Getting-Data-In/List-hosts-with-highest-value/m-p/98728#M20661 echalex 2012-10-29T15:12:25Z