topic Re: count and compare the max amount of used different devices each day by groups for a week in Splunk Search

How to count and compare the max amount of used different devices each day by groups for a week?

lemontree1 — Thu, 03 Mar 2022 17:32:22 GMT

Hello,
I try to count and compare the max amount of used different devices each day by groups for a week with the maximal available resources.
For each day I count a different amount of used devices per related group. For a week I want to determine the max. value for each group and compare this value with a predefined max available value.
With a a query like this:

<search> | timechart span=1d dc(devicename) by groupname <Last 7 days>

I get a table like this

_time             Group1      Group2    Group3 ...
7.1.2022 4                  8                 1
8.1.2022 2                  3 0
9.1.2022       6                  2                 0
...

How I tried to calculate the max value of each column (Group) and compare it with a predefined value for the group?

With timecharts I didn't success.
timechart doesn't pass the the value through a next command?

Re: count and compare the max amount of used different devices each day by groups for a week

ITWhisperer — Thu, 03 Mar 2022 12:18:37 GMT

Rather than timechart, use stats

| stats max(count) as max by group

Re: count and compare the max amount of used different devices each day by groups for a week

lemontree1 — Thu, 03 Mar 2022 17:06:42 GMT

Re: count and compare the max amount of used different devices each day by groups for a week

lemontree1 — Thu, 03 Mar 2022 17:08:14 GMT

Unfortunately the max field is empty, only the groupnames comes back

Re: count and compare the max amount of used different devices each day by groups for a week

ITWhisperer — Thu, 03 Mar 2022 17:46:40 GMT

| bin _time span=1d | stats dc(devicename) as dc_devicename by _time groupname | stats max(dc_devicename) as max_dc_devicename by groupname