Using two timechart to calculate the sum (each 15mim) and then the max (by day) by Folder

fariapm1 — Tue, 29 Sep 2020 17:01:31 GMT

Hi,
I'm new in Splunk (and my knowledge is very basic) and I have to build a complex dashboard with multiple indexes. I've tried googling it and I did not find anything related to my needs.
So, I have my index with a log file from a group of servers (farm) and that log is imported every 15min (96 files everyday).

My logfile has this name: source=ControlUp_Computers_11_22_2017_16_29_57 where "16_29_57" represents at what time it was imported to splunk.

In this case I have to SUM all the servers sessions every 15min

Source examples:
ControlUp_Computers_11_22_2017_16_29_57.csv
ControlUp_Computers_11_22_2017_16_44_59.csv

My search is:

Windows last 4 days
index=pt_app_it_controlup sourcetype="csv-computers"
| eval Disconnect = 'Disconnected Sessions' + 'Idle Sessions' + 'Other Sessions'
| timechart span=15min sum("User Sessions") as Total, sum(Active Sessions) as Active, sum(Disconnect) as Disconnected
| timechart span=1d max(Total), max(Active), max(Disconnected)

Output:
_time max(Total) max(Active) max(Disconnected)
20/11/2017 4197 3076 2784
21/11/2017 4243 3014 2803
22/11/2017 8601 6089 2849
23/11/2017 2570 2038 1824

Each logfile has the number of all sessions state, so I need to SUM all of them and then get the MAX of each days.
But all servers are grouped (by Folder)

With this search I have my results
index=pt_app_it_controlup sourcetype="csv-computers"
| eval Disconnect = 'Disconnected Sessions' + 'Idle Sessions' + 'Other Sessions'
| eval Folder =substr(Folder,22,25)
| timechart span=15min sum("User Sessions") as Total, sum(Active Sessions) as Active, sum(Disconnect) as Disconnected by Folder

Folder names (agentes, callcenters)

Output:
_time |Active: agentes |Active: callcenters |Disconnected: agentes |Disconnected: callcenters |Total: agentes |Total: callcenters
2017-11-24 00:00:00 |11 |54 |16 |584 |479 |638

2017-11-24 00:15:00 |9 |49 |11 |535 |449 |584

2017-11-24 00:30:00 |9 |45 |6 |439 |410 |484

Now I need to find the MAX of each day by Folder. But applying the 2nd timechart I can't get my results

index=pt_app_it_controlup sourcetype="csv-computers"
| eval Disconnect = 'Disconnected Sessions' + 'Idle Sessions' + 'Other Sessions'
| eval Folder =substr(Folder,22,25)
| timechart span=15m sum("User Sessions") as Total, sum(Active Sessions) as Active, sum(Disconnect) as Disconnected
| timechart span=1d max("Total"), max("Active"), max("Disconnected") by Folder

Can you help pointing me to the right direction?

Thanks!!!

Re: Using two timechart to calculate the sum (each 15mim) and then the max (by day) by Folder

somesoni2 — Tue, 28 Nov 2017 15:12:36 GMT

Try like this

index=pt_app_it_controlup sourcetype="csv-computers"
| eval Disconnect = 'Disconnected Sessions' + 'Idle Sessions' + 'Other Sessions'
| eval Folder =substr(Folder,22,25)
| timechart span=15m sum("User Sessions") as Total, sum(Active Sessions) as Active, sum(Disconnect) as Disconnected 
| timechart span=1d max(*) as *

Basically get max of each available columns with span=1d.

Re: Using two timechart to calculate the sum (each 15mim) and then the max (by day) by Folder

fariapm1 — Wed, 29 Nov 2017 10:05:53 GMT

Hi,

It works, many tanks!!!

Meanwhile, also found a similar solution:
| bucket span=24h _time
| stats max(*) as * by _time

topic Using two timechart to calculate the sum (each 15mim) and then the max (by day) by Folder in Splunk Search

Using two timechart to calculate the sum (each 15mim) and then the max (by day) by Folder

Re: Using two timechart to calculate the sum (each 15mim) and then the max (by day) by Folder

Re: Using two timechart to calculate the sum (each 15mim) and then the max (by day) by Folder