Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

extract max count value

marco_massari11
Communicator
‎11-23-2020 05:47 AM

Hi,

I have thousands of csv file on my splunk by monitoring a local share. Each day the folder is replicated by new csv files (current day).The csv file are about switches and are all differents and contain for each one some informations about their interfaces (ip, interface name...). In my query I filter for some fileds to include only interfaces that I need. Ip and Interface name should be unique, so I think I should dedup like | dedup IP, Interface. Then I want to extract for each month the max count of those filtered Interfaces. My query is like this but it's incomplete:

index=appliance sourcetype=new field1=........ field2=........ field3=........

| dedup Ip, Interface (I don't know if is correct and if is what I need)

| ...?

Labels (5)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-23-2020 06:15 AM

You say the query is incomplete, but don't say what is missing.

The dedup command takes the first event for each unique set of Ip and Interface values.  It may be ignoring the events that contain the max value you seek.  If you will be using the stats command to find a maximum value then using dedup is not only unneeded, but counter-productive.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

marco_massari11
Communicator
‎11-23-2020 06:55 AM

The query is incomplete beacuse I don't know how to proceed. Yes with dedup I lose old values, So how can I fix this?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-23-2020 10:21 AM

What are the desired results?  You say you want a max count so have you looked at the stats command?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

marco_massari11
Communicator
‎11-24-2020 01:29 AM

I want the max count of distinct Interfaces for each month. I tried sometthing like this:

index=network_appliance Hostname=** (sourcetype="old" OR sourcetype="new") 
| timechart max(Interface) as Total_max span=1mon

But I have not results

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-24-2020 06:28 AM

Is this what you need?

index=network_appliance Hostname=** (sourcetype="old" OR sourcetype="new") 
| bin span=1mon _time
| stats dc(Interface) as if_count by _time
| timechart span=1mon max(if_count) as Total_max
---
If this reply helps you, Karma would be appreciated.
Reply

marco_massari11
Communicator
‎11-24-2020 06:43 AM

@richgalloway  yes but the counts are so small. I should have around 28k interfaces but the result is 6k

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-24-2020 06:50 AM

If you have 28,000 distinct interfaces, but Splunk finds only 6,000 then perhaps something is wrong with the data.  How are you arriving at the 28k figure?  Are all 28k reporting to Splunk consistently?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

marco_massari11
Communicator
‎11-24-2020 06:55 AM

Yes beacuse I have a total count query which returns number of interfaces. Each Interface have an IP, so the couple Interface-IP is unique.

index=network_appliance Hostname=* (sourcetype="old" OR sourcetype="new")
| dedup Interface IP
| stats count(Interface)

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What goes away as soon as you talk about it?

May 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...

Getting Started with Splunk Artificial Intelligence, Insights for Nonprofits, and ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top