Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Find the max values with the range of natural week and sum these values

echozero39
Engager
‎06-18-2015 07:18 AM

Hi all,

I have logs that count number of invocation themselves. But the service that generates these values starts every mondy and reboot every sunday evening, that means if I want to know the total number of invocation. I have to sum up the max values of each week.

I know that in Splunk, define a week is not a difficult thing, 1w or 7d are fine, but what I want is "span" natural week...

My logs are like (timestamps are ignored): 

Process, Method, number
name1, getXXX, 0
name1, getXXX, 3
name1, setXXX, 1
name2, setXXX, 0
name2, setXXX, 2

And the next week, 

name1,getXXX,0
name1,getXXX,1
name1,setXXX,2
name2,setXXX,2
name2,setXXX,6

What I want is the result like : 

Process Method Total
name1,getXXX,4
name1,setXXX,3
name2,setXXX,8

So that should be something like | timechart span=1w max(number) as MAX by Process Method | stats sum(MAX) by Process Method
And most important is, in natural week, that means exactly from the cumulation of max values from each monday to sunday

Thanks for anyone who can help !

Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-18-2015 07:36 AM

Try this:

... | eval Week=relative_time(_time, "@w1") | fieldformat Week = strftime(Week, "%d/%m/%y:%a") | stats max(number) as MAX by Process Method Week | stats sum(MAX) by Process Method

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-18-2015 07:36 AM

Try this:

... | eval Week=relative_time(_time, "@w1") | fieldformat Week = strftime(Week, "%d/%m/%y:%a") | stats max(number) as MAX by Process Method Week | stats sum(MAX) by Process Method
0 Karma
Reply
Solved! Jump to solution

echozero39
Engager
‎06-19-2015 12:21 AM

Thanks a lot woodcock,

What if i have several servers that means I have another field named "Serveur", how do i do to get the whole sum up.
And i think the sum count of method should be:
1. max(number) by server process method in a week
2. sum(max) by method

I am not sure if i can get the right results when my command is like :
|eval Week=relative_time(_time, "@w1") | fieldformat Week = strftime(Week, "%d/%m/%y:%a")| stats max(NbInvocationCumulee) as MAX by Serveur Process Method Week | stats sum(MAX) as Total by Method

And am I right if I want the sum by server, then my command is like :
| eval Week=relative_time(_time, "@w1") | fieldformat Week = strftime(Week, "%d/%m/%y:%a")| stats max(NbInvocationCumulee) as MAX by Serveur Process Method Week | stats sum(MAX) as Total by Server Method

And does it means that i can have multiple possible combination by changing the last stats ?
Furthermore, why the field "week" still exists in the final results even without values ? I typed fields - Week but it not works

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-19-2015 06:30 AM

First of all, should you really be using sum (addition) on a max value; shouldn't you be using something like avg(MAX)? In any case, I will answer your questions as-is, even though I have great concern that your approach seems to be fundamentally flawed.

1: Yes, to do an additional level of breakout, just add the field to the by portion of the first stats command.
2: There is a bug right now in the fields command where it cannot always remove fields. The work-around is to do a | table * first, like this:

| table * | fields - Week

Don't forget to "Accept" my answer.

0 Karma
Reply
Solved! Jump to solution

echozero39
Engager
‎06-19-2015 06:44 AM

Thanks for your concern.
Let me make a simple explanation, the service reboot every sunday night, and when the service runs, it cumulates the number of invocation of this service, which means, the max value of the week (also probably the last one) is the total amount of this week. In such situation, if I want the whole amount, I have to sum up these maxvalues.

  1. Thank you for this tip, but anyway should it be filtered already when we use stats command.. I mean, it should only show the fields in stats
0 Karma
Reply
Solved! Jump to solution

echozero39
Engager
‎06-19-2015 06:59 AM

Even using table and fields... There is still "Week" columne...strange

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-19-2015 07:33 AM

I added this to an existing bug case (this is another instance of the same bug). Don't forget to "Accept" my answer.

0 Karma
Reply
Solved! Jump to solution

echozero39
Engager
‎06-19-2015 07:36 AM

; p, thanks again woodcock

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-22-2015 07:56 AM

If you completely remove this part of your search string, then the Week field will no longer be a problem:

| fieldformat Week = strftime(Week, "%d/%m/%y:%a")
0 Karma
Reply
Solved! Jump to solution

echozero39
Engager
‎06-22-2015 07:59 AM

but, still this is a bug ?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-22-2015 08:55 AM

Yes, and I have an open bug case being worked.

0 Karma
Reply
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...