Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Getting Max value over time in report

tsheets13
Communicator
‎08-20-2019 08:48 AM

I have a report that I'm having trouble making it do what I want it to.

It essentially reports 3 values, time of first event. servername, timevalueinmillisec

I can easily use table Time, server, ms and it works but of course gives me every event.

What I want is exactly this but I want the Maximum value of ms over 30 minutes.

It was proposed to me to use

timechart span=30m max(ms) as MS by server

and this of course returns the correct values, but it gives me a separate column for each server and then that max value in the row, like this....

_time sxx0045 sxx0048 p09ps0046 p09ps0049
2019-08-20 10:00:00 0.30 0.11 0.47 0.33

What I want ultimately should look like this

Time Server ms
10:29:31 08/20/2019 sxx0045 0.30
10:29:37 08/20/2019 sxx0048 0.11
10:30:02 08/20/2019 sxx0046 0.47
10:30:16 08/20/2019 sxx0049 0.33

Can anyone assist?

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

diogofgm
SplunkTrust
SplunkTrust
‎08-20-2019 10:22 AM

After your search use the untable command.

your search... | untable _time server ms

More for the docs:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Untable

------------
Hope I was able to help you. If so, some karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

mayurr98
Super Champion
‎08-20-2019 12:24 PM

here you go :

your search .. | bin _time span=30m | stats max(ms) as MS by server _time

let me know if this helps!

0 Karma
Reply
Solved! Jump to solution
Solution

diogofgm
SplunkTrust
SplunkTrust
‎08-20-2019 10:22 AM

After your search use the untable command.

your search... | untable _time server ms

More for the docs:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Untable

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

tsheets13
Communicator
‎08-20-2019 10:09 AM

I should Add, though my example results don't how this, Only want resulting columns for every half hour, since the output I'm looking for is the max(ms) over span of 30m.

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...