Get values of several series during same timespan that the maximum of one series during a day

gregory_cordier — Mon, 18 May 2020 13:05:33 GMT

Hi,

I built a report that list daily maximums and averages of counts per hour on several days. (difficult to put it in phrase..)
Here is the query I use:

<search string>
| bucket _time span=1h 
| stats dc(Serial) as dcSerial, dc(otherserial) as dcOtherSerial by _time 
| bucket _time span=1d 
| eval Processedtime=strptime(_time,"%s") 
| stats max(dcSerial) avg(dcSerial) max(dcOtherSerial) avg(dcOtherSerial) by Processedtime

So this query returns maximums of distinct counts of each fields, which is good.
But what I need is to return the dcOtherSerial has when dcSerial is at the maximum during the day (because I don't care about the maximum of dcOtherSerial, I want to correlate both of them).
Is it understandable ?

any thoughts?

thanks

Re: Get values of several series during same timespan that the maximum of one series during a day

to4kawa — Sun, 24 May 2020 00:20:14 GMT

 <search string>
 | bucket _time span=1h 
 | stats dc(Serial) as dcSerial, dc(otherserial) as dcOtherSerial by _time 
 | bucket _time span=1d 
 | eval Processedtime=strptime(_time,"%s") 
 | eventstats max(dcSerial) avg(dcSerial) max(dcOtherSerial) avg(dcOtherSerial) by Processedtime
 | where as_you_like

use eventstats not stats

topic Re: Get values of several series during same timespan that the maximum of one series during a day in Splunk Search

Get values of several series during same timespan that the maximum of one series during a day

Re: Get values of several series during same timespan that the maximum of one series during a day