topic Re: Timechart Max in Splunk Search

Timechart Max

jgillman — Tue, 01 Oct 2019 19:03:08 GMT

I am new to splunk and I do not understand why this is giving me the same result.
There are 3 different site_names I am looking to to get the max latency out of all three.
Then when a user chooses a filter just to get the max for what they chose

index=fultonrssi sourcetype=FultonRSSI test_type_code=PING site_name="Bear Creek MS" closet_id="*" host=*| timechart max(latency) as "Max Latency"

index=fultonrssi sourcetype=FultonRSSI test_type_code=PING site_name="Banneker HS" closet_id="*" host=*| timechart max(latency) as "Max Latency"

This is the result for both

_time Max Latency
2019-10-01 14:30:00 2055.8

I looked at the raw data and they are definitely different
thanks

Re: Timechart Max

cmerriman — Wed, 02 Oct 2019 00:44:02 GMT

if you do a <base search>|stats count by latency|sort 0 - latency , is the first result the same?
try doing index=fultonrssi sourcetype=FultonRSSI test_type_code=PING closet_id="*" host=*| timechart max(latency) as "Max Latency" by site_name
or
index=fultonrssi sourcetype=FultonRSSI test_type_code=PING closet_id="*" host=*| chart count by latency site_name to check the differences. Those searches you have look accurate to me, so in my opinion, it looks like those sites have the same max for that time frame. You could try to add span=5min to the timechart to see if a more narrow span will yield different results, as well.

Re: Timechart Max

woodcock — Thu, 03 Oct 2019 01:03:20 GMT

You cannot timechart a non-number and if your latency is in duration format and contains colons, it is not a valid field to use for timechart. You may only use actual numbers.