topic Re: the max time of day in Splunk Search

the max time of day

baoamin — Tue, 17 Apr 2018 02:05:43 GMT

hello guys

I have a problem at work

index=mailog relay=10.204.0.0 I timechart span=1h count I timechart span=1d max（count）as count1 I appendcols 「search index=mailog relay=10.203.0.0 I timechart span=1h count I timechart span=1d max（count）as count2」

I get the max value of everyday but I donot get the information what time is most

like 3/16 12：00 is most how to display the information of time

plz help me

Re: the max time of day

p_gurav — Tue, 17 Apr 2018 04:40:01 GMT

Can you try:

 | timechart  span=1h count as count  | timechart span=1d max(count) | eval _time=strftime(_time, "%Y-%m-%d %H:%M:%S")

Re: the max time of day

baoamin — Tue, 17 Apr 2018 05:45:20 GMT

thank you I tried it but just display
2018-04-10 00：00：00
2018-04-11 00：00：00
.
.
.

why does it do not display the real time ？

thanks

Re: the max time of day

Sukisen1981 — Tue, 17 Apr 2018 10:25:08 GMT

Hi,

Your requirement is not very clear to me. Here is what I understand, you want the max count based on hour and your output should be something like day, the hour the count was max max count
try |timechart span=1h count as count |timechart span=1h max(count) as count1| eventstats max(count1) as max | where count1=max|eval day=strftime(_time, "%Y-%m-%d") |eval hour=strftime(_time, "%Y-%m-%d %H:%M:%S")| fields day,hour,count1 | fields - _time

Re: the max time of day

p_gurav — Tue, 17 Apr 2018 10:40:42 GMT

Can you try something:

 |timechart span=1h count as count  | eval date=strftime(_time, "%x") | eventstats max(count) as count1 by date | where count=count1

Re: the max time of day

ssadanala1 — Tue, 17 Apr 2018 12:09:43 GMT

Hi,

In the search you are grouping the events by span=1h so it show the _time in this format 3/16 12 00:00
If you want the what hour time frame it occured most then your search should be like this

index=your time | timechart span=1h count as count |sort 1 count desc

I used sort command to sort the results in descending order and takes only the first value which is max of count .

Re: the max time of day

fzfengzhuang — Wed, 18 Apr 2018 00:15:55 GMT

thank you every much

I just want the max value of mailog from hour 0 to 24 per day

and make the table like this

IP1_max_cou  IP2_max_count

2018-4-15 9：00 256 270
2018-4-16 11：00 328 255
2018-4-17 10：00 156 123

2018-4-17 15：00 8 9

sorry for troubling you

Re: the max time of day

fzfengzhuang — Tue, 29 Sep 2020 19:07:46 GMT

thank you for helping me

but but I need the max value of everyday per mouth

the table I want like this

time 2018-4-15 8：00 max_count 588
time 2018-4-16 10：00
max_count 600
……

can you help me

sorry for troubling you thanks

Re: the max time of day

fzfengzhuang — Tue, 29 Sep 2020 19:07:48 GMT

thank you for helping me

but but I need the max value of everyday per mouth

the table I want like this

time 2018-4-15 8：00 max_count 588
time 2018-4-16 10：00
max_count 600
……

can you help me

sorry for troubling you thanks

Re: the max time of day

Sukisen1981 — Fri, 20 Apr 2018 16:08:50 GMT

Hi,
You say you need the max value per hour and then you also say you need max value every day. If you look at @p_gurav 's query and mine they are almost identical.

We first get the counts per hour via timechart
we then do an eventstats to figure
out the max of the count per hour,
for example at which hour was the
count max
we then simply put a where filter
out the particular hour of the day
where the count=max count in step
2 above.

why is our query results different from what you want?

Re: the max time of day

fzfeng — Sat, 21 Apr 2018 01:16:31 GMT

thank you sending me a message it was solved

thank you

Re: the max time of day

woodcock — Sat, 21 Apr 2018 04:01:01 GMT

Like this:

index=mailog
| bucket _time span=1h
| stats count AS hourly_count BY host _time
| sort 0 - count
| dedup host

Re: the max time of day

TISKAR — Sat, 21 Apr 2018 13:17:53 GMT

@baoamin, you can try this, you can paste all this request in your sarch bare,

index=_internal
| timechart span=1h count 
| eval day=strftime(_time,"%Y-%m-%d")
| eventstats max(count) as max by day
| where count=max
| fields _time, count

Try by this to test your request:

index=mailog relay=10.204.0.0 
|  timechart span=1h count 
| eval day=strftime(_time,"%Y-%m-%d")
| eventstats max(count) as max by day |  appendcols 
    [search index=mailog relay=10.203.0.0 | timechart span=1h count | eval day=strftime(_time,"%Y-%m-%d") | eventstats max(count) as max by day]