https://community.splunk.com/t5/Reporting/Getting-Max-value-over-time-in-report/m-p/454689#M7341 <P>I have a report that I'm having trouble making it do what I want it to.</P> <P>It essentially reports 3 values, time of first event. servername, timevalueinmillisec</P> <P>I can easily use table Time, server, ms and it works but of course gives me every event.</P> <P>What I want is exactly this but I want the Maximum value of ms over 30 minutes.</P> <P>It was proposed to me to use </P> <P>timechart span=30m max(ms) as MS by server</P> <P>and this of course returns the correct values, but it gives me a separate column for each server and then that max value in the row, like this....</P> <P>_time sxx0045 sxx0048 p09ps0046 p09ps0049<BR /> 2019-08-20 10:00:00 0.30 0.11 0.47 0.33</P> <P>What I want ultimately should look like this</P> <P>Time Server ms<BR /> 10:29:31 08/20/2019 sxx0045 0.30<BR /> 10:29:37 08/20/2019 sxx0048 0.11<BR /> 10:30:02 08/20/2019 sxx0046 0.47<BR /> 10:30:16 08/20/2019 sxx0049 0.33</P> <P>Can anyone assist?</P> <P>Thanks</P> Tue, 20 Aug 2019 15:48:28 GMT tsheets13 2019-08-20T15:48:28Z https://community.splunk.com/t5/Reporting/Getting-Max-value-over-time-in-report/m-p/454689#M7341 <P>I have a report that I'm having trouble making it do what I want it to.</P> <P>It essentially reports 3 values, time of first event. servername, timevalueinmillisec</P> <P>I can easily use table Time, server, ms and it works but of course gives me every event.</P> <P>What I want is exactly this but I want the Maximum value of ms over 30 minutes.</P> <P>It was proposed to me to use </P> <P>timechart span=30m max(ms) as MS by server</P> <P>and this of course returns the correct values, but it gives me a separate column for each server and then that max value in the row, like this....</P> <P>_time sxx0045 sxx0048 p09ps0046 p09ps0049<BR /> 2019-08-20 10:00:00 0.30 0.11 0.47 0.33</P> <P>What I want ultimately should look like this</P> <P>Time Server ms<BR /> 10:29:31 08/20/2019 sxx0045 0.30<BR /> 10:29:37 08/20/2019 sxx0048 0.11<BR /> 10:30:02 08/20/2019 sxx0046 0.47<BR /> 10:30:16 08/20/2019 sxx0049 0.33</P> <P>Can anyone assist?</P> <P>Thanks</P> Tue, 20 Aug 2019 15:48:28 GMT https://community.splunk.com/t5/Reporting/Getting-Max-value-over-time-in-report/m-p/454689#M7341 tsheets13 2019-08-20T15:48:28Z https://community.splunk.com/t5/Reporting/Getting-Max-value-over-time-in-report/m-p/454690#M7342 <P>I should Add, though my example results don't how this, Only want resulting columns for every half hour, since the output I'm looking for is the max(ms) over span of 30m.</P> Tue, 20 Aug 2019 17:09:07 GMT https://community.splunk.com/t5/Reporting/Getting-Max-value-over-time-in-report/m-p/454690#M7342 tsheets13 2019-08-20T17:09:07Z https://community.splunk.com/t5/Reporting/Getting-Max-value-over-time-in-report/m-p/454691#M7343 <P>After your search use the <CODE>untable</CODE> command.</P> <P><CODE>your search... | untable _time server ms</CODE></P> <P>More for the docs:<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Untable">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Untable</A></P> Tue, 20 Aug 2019 17:22:44 GMT https://community.splunk.com/t5/Reporting/Getting-Max-value-over-time-in-report/m-p/454691#M7343 diogofgm 2019-08-20T17:22:44Z https://community.splunk.com/t5/Reporting/Getting-Max-value-over-time-in-report/m-p/454692#M7344 <P>here you go :</P> <PRE><CODE>your search .. | bin _time span=30m | stats max(ms) as MS by server _time </CODE></PRE> <P>let me know if this helps!</P> Tue, 20 Aug 2019 19:24:17 GMT https://community.splunk.com/t5/Reporting/Getting-Max-value-over-time-in-report/m-p/454692#M7344 mayurr98 2019-08-20T19:24:17Z