Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Getting Max value over time in report

tsheets13
Communicator
‎08-20-2019 08:48 AM

I have a report that I'm having trouble making it do what I want it to.

It essentially reports 3 values, time of first event. servername, timevalueinmillisec

I can easily use table Time, server, ms and it works but of course gives me every event.

What I want is exactly this but I want the Maximum value of ms over 30 minutes.

It was proposed to me to use

timechart span=30m max(ms) as MS by server

and this of course returns the correct values, but it gives me a separate column for each server and then that max value in the row, like this....

_time sxx0045 sxx0048 p09ps0046 p09ps0049
2019-08-20 10:00:00 0.30 0.11 0.47 0.33

What I want ultimately should look like this

Time Server ms
10:29:31 08/20/2019 sxx0045 0.30
10:29:37 08/20/2019 sxx0048 0.11
10:30:02 08/20/2019 sxx0046 0.47
10:30:16 08/20/2019 sxx0049 0.33

Can anyone assist?

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

diogofgm
SplunkTrust
SplunkTrust
‎08-20-2019 10:22 AM

After your search use the untable command.

your search... | untable _time server ms

More for the docs:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Untable

------------
Hope I was able to help you. If so, some karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

mayurr98
Super Champion
‎08-20-2019 12:24 PM

here you go :

your search .. | bin _time span=30m | stats max(ms) as MS by server _time

let me know if this helps!

0 Karma
Reply
Solved! Jump to solution
Solution

diogofgm
SplunkTrust
SplunkTrust
‎08-20-2019 10:22 AM

After your search use the untable command.

your search... | untable _time server ms

More for the docs:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Untable

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

tsheets13
Communicator
‎08-20-2019 10:09 AM

I should Add, though my example results don't how this, Only want resulting columns for every half hour, since the output I'm looking for is the max(ms) over span of 30m.

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...