topic Re: Need help on finding daily hourly max for a month for a timechart in Splunk Search

Need help on finding daily hourly max for a month for a timechart

payalgarg27 — Mon, 24 Apr 2017 23:33:29 GMT

Hi All,

I am pretty new to splunk and trying to figure out a splunk search query. I am extracting a monthly report of hourly volume of some services.

I used following query:
index=myIndex sourcetype=mysrctype | timechart span=1h count by myapps

This gives me result in following format:

_time app1 app2 app3 app4
Date1Hr1 72 774 0 0
Date1Hr2 34 234 0 0
Date1Hr3 72 560 0
.
.
.
.
Date1Hr24 72 560 0 89
Date2Hr1 72 560 0 87
Date2Hr2 72 560 0 876
Date2Hr3 72 560 0 87
.
.
.
Date31Hr24 72 560 0 76

Question 1: How can I get Daily Max for all the applications for all 30 days?
I tried
index=myIndex sourcetype=mysrctype | timechart span=1h count by myapps | stats max(*) as *
But this gives me Max of all daily values for all 30 days. I am not able to get a "Daily" max using timechart.

Question2: How can I add a linebreak after each day in timechart?

Appreciate your help!!

Thanks,
Payal

Re: Need help on finding daily hourly max for a month for a timechart

SplunkersRock — Tue, 25 Apr 2017 17:23:53 GMT

index=myIndex sourcetype=mysrctype | timechart max(Time)

Re: Need help on finding daily hourly max for a month for a timechart

DalJeanis — Tue, 25 Apr 2017 20:55:12 GMT

If you want to understand exactly what you are doing, and be able to answer your own questions with flexible strategies, then you are better off doing your own calculations, rather than just letting timechart do the work. Feed the results into timechart at the very end, after you've collected the info.

(Caveat... if you want to be able to change the time scale to investigate things, then you have to chunk the data to the lowest level you will want to get down to.)

index=myIndex sourcetype=mysrctype
| bin _time as Hour span=1h
| stats count by myapps Hour

Now you have an hourly count for each value of myapps for each hour

| bin Hour as Day span=1d  
| stats max(count) as maxcount by myapps Day

Now you have the highest hourly count for each value of myapps for each Day, so let's display it...

| rename Day as _time
| timechart span=1d max(maxcount) as maxcount by myapps

That uses timechart to display the highest value for each day, as we have calculated it.

Now that you see all the above steps, here's a compressed way that accomplishes the same thing, letting timechart do the final calculation step...

index=myIndex sourcetype=mysrctype
| bin _time span=1h
| stats count by myapps _time
| timechart span=1d max(count) as maxcount by myapps

Re: Need help on finding daily hourly max for a month for a timechart

somesoni2 — Tue, 25 Apr 2017 21:02:55 GMT

Wonderful explanation.

Re: Need help on finding daily hourly max for a month for a timechart

payalgarg27 — Tue, 25 Apr 2017 21:58:33 GMT

Thanks a lot for your help. Its explained in a wonderful way.. I appreciate it a lot and hope to help others in the same way as you just did.. 🙂