topic Re: How to get the time of the event when finding maximum event count that has happened in a minute over a time in Splunk Search

How to get the time of the event when finding maximum event count that has happened in a minute over a time

RemyaT — Thu, 20 Jul 2023 21:12:54 GMT

I have a query to find the maximum event count that has happened in a minute over time as below

index="xxx" "headers.a"="abc" | rename "status.operation_path" as PATH | bucket _time span=1m | stats count by PATH _time | stats max(count) by PATH

The above query displays the maximum event count in a minute VS PATH. I also need to display the time when this maximum event count happened for each path.

Re: How to get the time of the event when finding maximum event count that has happened in a minute over a time

ITWhisperer — Thu, 20 Jul 2023 22:08:42 GMT

Re: How to get the time of the event when finding maximum event count that has happened in a minute over a time

lshatzer — Thu, 20 Jul 2023 22:13:10 GMT

I adjusted your search to use the _internal index, you should be able to adjust the SPL to suit your use case.

This is where I would use eventstats to create a new field on each even that had the max value, and then filter to just those. And if you have two time buckets that have the same, grab just the latest.

index=_internal 
| bucket _time span=1m 
| stats count by sourcetype _time 
| eventstats max(count) as maxcount by sourcetype ```Get the max count for all buckets by sourcetype```
| where maxcount=count ```Filter down to where the maxcount is the count```
| stats latest(_time) AS _time, latest(count) by sourcetype ```Get just the latest time for that sourcetype, and the count```