topic Re: Timechart peaks - replace sum with max in Splunk Search

Timechart peaks - replace sum with max

rowancoleman — Mon, 03 Mar 2014 15:36:45 GMT

Hi all,

I'm looking to create a timechart from a very large dataset. I just want to count the occurrence of a custom value, then limit to the top 10 series which have the highest maximum within the time range. A regular timechart seems to average out the series I'm interested in because it only appears for a short time, even though it has a much higher peak value.

The docs for timechart seem to describe my issue under the "where clause" description:

Description: Specifies the criteria for including particular data series when a field is given in the tc-by-clause. The most common use of this option is to select for spikes rather than overall mass of distribution in series selection. The default value finds the top ten series by area under the curve. Alternately one could replace sum with max to find the series with the ten highest spikes.This has no relation to the where command.

I really cannot work out how I use this syntax to prefere maximums instead of sums.

Re: Timechart peaks - replace sum with max

somesoni2 — Mon, 03 Mar 2014 18:36:16 GMT

can you post your search here.

Re: Timechart peaks - replace sum with max

rowancoleman — Mon, 28 Sep 2020 16:02:01 GMT

I can give an example of a search, but this is more of a general query.

| eval attack_flow = src_port + "->" + dst_ip | timechart count by attack_flow useother=false usenull=false

This returns the top 10 'attack_flow' over a time range. But the top 10 is based on the sum count, rather than the max count.

Re: Timechart peaks - replace sum with max

MuS — Tue, 04 Mar 2014 13:00:45 GMT

Hi rowancoleman,

if I get your question correct, then you can use something like this to get the max count for each attack_flow:

 | eval attack_flow = src_port + "->" + dst_ip | stats count by attack_flow, _time | timechart max(count) AS max by attack_flow useother=f usenull=f

the stats will take care of the counting for each attack_flow and the timechart will display the max for each attack_flow.

hope this helps ...

cheers, MuS

Re: Timechart peaks - replace sum with max

rowancoleman — Tue, 04 Mar 2014 15:10:23 GMT

Hi,

That doesn't seem to do it, I get odd results, and it runs very very slowly.

Re: Timechart peaks - replace sum with max

MuS — Wed, 05 Mar 2014 08:46:01 GMT

take a look at this example:
index=_internal source=*metrics.log series=splunkd* earliest=-24h@h | bucket _time span=1m | stats count as c_series by series, _time | timechart max(c_series) AS max min(c_series) AS min by series useother=f usenull=f

this will search the last 24 hours on index _internal for splunkd* events in metrics.log, create one minute buckets, count each occurrence of series in those buckets and displays a timechart of max and min count for each series.
Adapt it to match your search and needs and your ready to go.

Re: Timechart peaks - replace sum with max

amomchilov — Mon, 06 Apr 2020 17:08:13 GMT

I tried to adapt your comment to fit my case, but it doesn't seem quite right: https://i.imgur.com/GjvilZn.png It seems like a very similar set of series were picked, but with the Y values squished by about 1/5. I posted a related question, could you please take a look if you're free? https://answers.splunk.com/answers/815185