https://community.splunk.com/t5/Splunk-Search/Peak-hourly-volume-monthly-wise-for-last-3-months/m-p/680167#M232500 <P>Since you didn't provide any sample events I had to guess - since you still haven't provided any sample events I can only guess whether this is right or not. Since it apparently isn't giving what you want, I would guess it isn't right. In your search, what is count? Is it a field in your events?</P> Sat, 09 Mar 2024 16:20:30 GMT ITWhisperer 2024-03-09T16:20:30Z https://community.splunk.com/t5/Splunk-Search/Peak-hourly-volume-monthly-wise-for-last-3-months/m-p/680153#M232497 <P>Hi Team,</P><P>I want to calculate peak hourly volume of each month for each service. Each service can have different peak times and first need to calculate peak hour of each component for the month. Likewise calculate for last 3 months. Then calculate the average of 3 months peak hourly volume.<BR />Below table is the sample requirement.</P><TABLE width="346"><TBODY><TR><TD width="64">&nbsp;</TD><TD width="73">January-24</TD><TD width="81">February-24</TD><TD width="64">March-24</TD><TD width="64">Avg Volume</TD></TR><TR><TD>service1</TD><TD>20</TD><TD>50</TD><TD>20</TD><TD>30</TD></TR><TR><TD>service2</TD><TD>4</TD><TD>3</TD><TD>8</TD><TD>5</TD></TR><TR><TD>service3</TD><TD>20</TD><TD>30</TD><TD>40</TD><TD>30</TD></TR><TR><TD>service4</TD><TD>30000</TD><TD>30000</TD><TD>9000</TD><TD>23000</TD></TR><TR><TD>service5</TD><TD>200</TD><TD>300</TD><TD>400</TD><TD>300</TD></TR></TBODY></TABLE> Sat, 09 Mar 2024 14:25:25 GMT https://community.splunk.com/t5/Splunk-Search/Peak-hourly-volume-monthly-wise-for-last-3-months/m-p/680153#M232497 Allampally 2024-03-09T14:25:25Z https://community.splunk.com/t5/Splunk-Search/Peak-hourly-volume-monthly-wise-for-last-3-months/m-p/680160#M232498 <LI-CODE lang="markup">| bin _time span=1h | stats sum(volume) as volume by _time component | bin _time span=1mon | chart max(volume) as volume by component _time | addtotals | eval Average=Total/3</LI-CODE> Sat, 09 Mar 2024 15:30:42 GMT https://community.splunk.com/t5/Splunk-Search/Peak-hourly-volume-monthly-wise-for-last-3-months/m-p/680160#M232498 ITWhisperer 2024-03-09T15:30:42Z https://community.splunk.com/t5/Splunk-Search/Peak-hourly-volume-monthly-wise-for-last-3-months/m-p/680165#M232499 <P>&nbsp;</P><P>What is the field used as "volume" ? Is it similar to "count" in stats to get volume ?&nbsp;</P><P>I tried this but not working and tried a portion of your query&nbsp;</P><P>| bin _time span=1h<BR />| stats sum(count) as volume by _time component</P><P>Its not reporting anything under volume</P> Sat, 09 Mar 2024 16:17:03 GMT https://community.splunk.com/t5/Splunk-Search/Peak-hourly-volume-monthly-wise-for-last-3-months/m-p/680165#M232499 Allampally 2024-03-09T16:17:03Z https://community.splunk.com/t5/Splunk-Search/Peak-hourly-volume-monthly-wise-for-last-3-months/m-p/680167#M232500 <P>Since you didn't provide any sample events I had to guess - since you still haven't provided any sample events I can only guess whether this is right or not. Since it apparently isn't giving what you want, I would guess it isn't right. In your search, what is count? Is it a field in your events?</P> Sat, 09 Mar 2024 16:20:30 GMT https://community.splunk.com/t5/Splunk-Search/Peak-hourly-volume-monthly-wise-for-last-3-months/m-p/680167#M232500 ITWhisperer 2024-03-09T16:20:30Z https://community.splunk.com/t5/Splunk-Search/Peak-hourly-volume-monthly-wise-for-last-3-months/m-p/680172#M232501 <P>This is the sample stats command for my log.&nbsp;</P><P>index=company app=abc | stats count by component</P><P>I don't have field for volume. We have to calculate volume from the stats count.&nbsp;</P> Sat, 09 Mar 2024 16:46:45 GMT https://community.splunk.com/t5/Splunk-Search/Peak-hourly-volume-monthly-wise-for-last-3-months/m-p/680172#M232501 Allampally 2024-03-09T16:46:45Z https://community.splunk.com/t5/Splunk-Search/Peak-hourly-volume-monthly-wise-for-last-3-months/m-p/680182#M232502 <P>Count is not the same as volume. Unless you have a synthetic field added during ingestion (or use summary indexing), you have to calculate it manually (unfortunately you cannot use tstats for that so it's gonna be costly since every single matching event has to be read and "measured")</P><PRE>index=whatever &lt;your other conditions&gt;<BR />| eval eventlength=len(_raw)</PRE><P>Now you can do some summarizing</P><PRE>| bin _time span=1h<BR />| stats sum(eventlength) as volume by source component whatever</PRE><P>This will give you one hour volumes. Now you can do with it whatever you want. Like the stats <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp; already posted.</P> Sat, 09 Mar 2024 23:07:10 GMT https://community.splunk.com/t5/Splunk-Search/Peak-hourly-volume-monthly-wise-for-last-3-months/m-p/680182#M232502 PickleRick 2024-03-09T23:07:10Z https://community.splunk.com/t5/Splunk-Search/Peak-hourly-volume-monthly-wise-for-last-3-months/m-p/680194#M232506 <LI-CODE lang="markup">| bin _time span=1h | stats count as volume by _time component | bin _time span=1mon | chart max(volume) as volume by component _time | addtotals | eval Average=Total/3</LI-CODE> Sun, 10 Mar 2024 09:08:47 GMT https://community.splunk.com/t5/Splunk-Search/Peak-hourly-volume-monthly-wise-for-last-3-months/m-p/680194#M232506 ITWhisperer 2024-03-10T09:08:47Z https://community.splunk.com/t5/Splunk-Search/Peak-hourly-volume-monthly-wise-for-last-3-months/m-p/680283#M232524 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;- It worked for me</P> Mon, 11 Mar 2024 13:59:33 GMT https://community.splunk.com/t5/Splunk-Search/Peak-hourly-volume-monthly-wise-for-last-3-months/m-p/680283#M232524 Allampally 2024-03-11T13:59:33Z