How to display timstamp of max util value?

priya1926 · ‎12-15-2022

hi,

i am using this query to display max value by a host for Disk Read Time.

Also i need the max values TIMESTAMP. This search can be for 24 hrs or a week or a month.. but the timestamp should be exact of the entry to the max value time..

index=perfmon source="Perfmon:LogicalDisk" host="abc" object=LogicalDisk | search NOT(instance=_Total) counter="% Disk Read Time" | eval Idx=instance | stats max(Value) by Idx, host

richgalloway · ‎12-15-2022

The stats command discards all fields except Idx, host, and "max(Value)" so there is no _time to display. Also, the max function does not associate the result with the event from which it came (there may be multiple events with the same max value).

Try this.

index=perfmon source="Perfmon:LogicalDisk" host="abc" object=LogicalDisk 
| search NOT(instance=_Total) counter="% Disk Read Time" 
| eval Idx=instance 
```Find the highest value for each Idx/host pair and make it a new field```
| eventstats max(Value) as MaxValue by Idx, host
```Keep only the events with the highest MaxValue field```
| where Value = MaxValue
| table _time, Idx, host, MaxValue

---
If this reply helps you, Karma would be appreciated.

How to display timstamp of max util value?

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform