topic Re: get peak values from a timechart in Splunk Search

get peak values from a timechart

chadman — Tue, 09 Aug 2016 14:35:26 GMT

I have a chart and would like to get a total of all the peaks values on the chart. This chart calculates idle time and goes up and then drops to 0 once the machine is no longer idle. I would like to get all the peaks and add them together. Is there a way to do this in a search? Below is what my search looks like now.

sourcetype="search" host=host1* | timechart avg(idle) as "Idle Time"

Re: get peak values from a timechart

sundareshr — Tue, 09 Aug 2016 14:39:32 GMT

Try this

sourcetype="search" host=host1* | timechart avg(idle) as "Idle Time" | where "Idle Time">0 | stats sum("Idle Time") as Peaks

Re: get peak values from a timechart

chadman — Tue, 09 Aug 2016 14:48:04 GMT

That seems to be adding all the times, not just the peaks. So if my values were:

1,2,3,4,0,0,1,2,3,0
I would see 16 with your search. I would like to see 7. That would get the sum of 4 and 3.

Re: get peak values from a timechart

sundareshr — Tue, 09 Aug 2016 14:54:28 GMT

Try this then. You can adjust the last segment to what you would consider acceptable peak.

sourcetype="search" host=host1* | timechart avg(idle) as "Idle Time" | evenstats min("Idle Time") as low | where (low/"Idle Time")>.5 | stats sum("Idle Time") as IdleTime

Re: get peak values from a timechart

chadman — Tue, 09 Aug 2016 15:21:43 GMT

It's still not finding the peaks and adding them. Looks like it's still just adding all the numbers.

sourcetype="search" host=host1* || table idle |eventstats max(idle) as low | where (low/'idle') > 1 | stats sum(idle) as idle

Re: get peak values from a timechart

chadman — Tue, 09 Aug 2016 15:32:09 GMT

Here are the values I get when I search sourcetype="search1" host=host1 | table idle
0

0

0

0

0

0

4

3

2

1

0

8

7

6

5

4

3

2

1

0

So with this search I would like to see the number 12 that adds the 2 peaks found of 8 and 4. I can't figure out to just display those peaks.

Re: get peak values from a timechart

somesoni2 — Tue, 09 Aug 2016 15:49:47 GMT

Give this a try

sourcetype="search" host=host1* | timechart avg(idle) as "Idle Time" | eval sno=if('Idle Time'=0,1,0) | accum sno
| eventstats max("Idle Time") as max by sno | where 'Idle Time'=max | table _time "Idle Time"

Re: get peak values from a timechart

chadman — Tue, 09 Aug 2016 16:52:49 GMT

That did it! Thanks so much, I never would have figured that out.