topic Timechart results, max value for time in Splunk Search

Timechart results, max value for time

astatrial — Sun, 14 Jul 2019 06:52:55 GMT

Hi all,

I am counting distinct values of destinations with timechart (span=1h).
I am trying to take those values and find the max value per hour, as follows:

Original: 
_time    dest1       dest2           dest3
06:00      3           0               1
07:00      6           2               9 
08:00      0           3               7
 ...

Result: 
_time    max 
06:00     3                 
07:00     9                
08:00     7

*This is just an example, there are more dests and more hours.

Can anyone please assist me with this ?

Thanks!

Re: Timechart results, max value for time

renjith_nair — Sun, 14 Jul 2019 08:53:07 GMT

@astatrial ,

Try adding this to end of your search

|eval max=0
|foreach * [eval max=if(max < <<FIELD>>,<<FIELD>>,max)]

OR below if you do not want destination fields in your output

|untable _time,dest,count
|stats max(count) as c by _time

Re: Timechart results, max value for time

astatrial — Sun, 14 Jul 2019 10:33:02 GMT

First option didn't work, but the second option worked.

Thanks.

Re: Timechart results, max value for time

renjith_nair — Sun, 14 Jul 2019 10:47:08 GMT

@astatrial ,
First option also should work. Did you get any error message? Please note that , you have to use that search as it is. i.e. <<FIELD>> should be there as it is , dont replace it with your field names

Re: Timechart results, max value for time

astatrial — Mon, 15 Jul 2019 06:04:29 GMT

Yes, i know. There was no error, i know it is possible to fix it to get the result but the second option did the job.