topic Re: How do I keep the value of the minutes in a span=1h timechart if I want to keep only the max value of the hour. in Splunk Search

How do I keep the value of the minutes in a span=1h timechart if I want to keep only the max value of the hour.

Splunked_Kid — Mon, 27 Jan 2025 15:58:39 GMT

Hello, I'm trying to add up the MIPS of each of the partitions per minute and then keep only the maximum MIPS per day but I'd like to display the time and minutes at which this peak arrived. How do I do it?

Here's my search:

First, I want to make the addition of the MIPS for all partition per minute.
Second, I want to keep only the max value per day of the prior addition.

index=myindex
| bin span=1m _time
| stats sum(MIPS) as MIPSParMinute by _time
| timechart span=1d max(MIPSParMinute) as MaxMIPSParMinute

| eval Day=strftime(_time,"%Y/%m/%d")
| eval Hour=strftime(_time,"%H:%M")
| sort 0 - MaxMIPSParMinute Day
| dedup Day
| table Day Hour MaxMIPSParMinute

Unfortunaly, in my result I loose the hour and minute of when this peak occurs in the day. Is there a way of keeping the hours and minute value?

Thanks!

Re: How do I keep the value of the minutes in a span=1h timechart if I want to keep only the max value of the hour.

gcusello — Mon, 27 Jan 2025 16:16:58 GMT

Hi @Splunked_Kid ,

you could try something like this:

Ciao.

Giuseppe

Re: How do I keep the value of the minutes in a span=1h timechart if I want to keep only the max value of the hour.

Splunked_Kid — Mon, 27 Jan 2025 16:24:47 GMT

Hi @gcusello ,

Thank you, this is a start. Indeed, I find the time but I only have 1 value displayed. I would like to be able to keep the top 5 peaks per day of the last x days.

Thanks!

Re: How do I keep the value of the minutes in a span=1h timechart if I want to keep only the max value of the hour.

yuanliu — Tue, 28 Jan 2025 08:35:57 GMT

I would like to be able to keep the top 5 peaks per day of the last x days.

Be careful. I suspect that you really mean to keep the top 5 peak-per-day of the last x days (based on your use of dedup Day). Something like

_time	MaxMIPSParMinute
2025-01-15 00:27:00	2583
2025-01-07 23:08:00	2129
2025-01-25 22:15:00	2069
2025-01-22 13:58:00	1222
2025-01-18 08:35:00	990

Is this correct? The basic solution is the same as @gcusello suggested, just add by Day Hour to eventstats.

I will leave formating to you.

Here is an emulation you can play with and compare with real data:

index=_internal earliest=-25d@d latest=-0d@d | bin span=1m _time | stats count as MIPSParMinute by _time ``` the above emulates index=myindex | bin span=1m _time | stats sum(MIPS) as MIPSParMinute by _time ```

Re: How do I keep the value of the minutes in a span=1h timechart if I want to keep only the max value of the hour.

Splunked_Kid — Tue, 28 Jan 2025 13:32:09 GMT

Work perfectly.

Thanks!

Re: How do I keep the value of the minutes in a span=1h timechart if I want to keep only the max value of the hour.

gcusello — Tue, 28 Jan 2025 14:46:26 GMT

Hi @Splunked_Kid ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉