Splunk Search

Find the max values with the range of natural week and sum these values

echozero39
Engager

Hi all,

I have logs that count number of invocation themselves. But the service that generates these values starts every mondy and reboot every sunday evening, that means if I want to know the total number of invocation. I have to sum up the max values of each week.

I know that in Splunk, define a week is not a difficult thing, 1w or 7d are fine, but what I want is "span" natural week...

My logs are like (timestamps are ignored):

Process, Method, number
name1, getXXX, 0
name1, getXXX, 3
name1, setXXX, 1
name2, setXXX, 0
name2, setXXX, 2

And the next week,

name1,getXXX,0
name1,getXXX,1
name1,setXXX,2
name2,setXXX,2
name2,setXXX,6

What I want is the result like :

Process Method Total
name1,getXXX,4
name1,setXXX,3
name2,setXXX,8

So that should be something like | timechart span=1w max(number) as MAX by Process Method | stats sum(MAX) by Process Method
And most important is, in natural week, that means exactly from the cumulation of max values from each monday to sunday

Thanks for anyone who can help !

Tags (4)
0 Karma
1 Solution

woodcock
Esteemed Legend

Try this:

... | eval Week=relative_time(_time, "@w1") | fieldformat Week = strftime(Week, "%d/%m/%y:%a") | stats max(number) as MAX by Process Method Week | stats sum(MAX) by Process Method

View solution in original post

0 Karma

woodcock
Esteemed Legend

Try this:

... | eval Week=relative_time(_time, "@w1") | fieldformat Week = strftime(Week, "%d/%m/%y:%a") | stats max(number) as MAX by Process Method Week | stats sum(MAX) by Process Method
0 Karma

echozero39
Engager

Thanks a lot woodcock,

What if i have several servers that means I have another field named "Serveur", how do i do to get the whole sum up.
And i think the sum count of method should be:
1. max(number) by server process method in a week
2. sum(max) by method

I am not sure if i can get the right results when my command is like :
|eval Week=relative_time(_time, "@w1") | fieldformat Week = strftime(Week, "%d/%m/%y:%a")| stats max(NbInvocationCumulee) as MAX by Serveur Process Method Week | stats sum(MAX) as Total by Method

And am I right if I want the sum by server, then my command is like :
| eval Week=relative_time(_time, "@w1") | fieldformat Week = strftime(Week, "%d/%m/%y:%a")| stats max(NbInvocationCumulee) as MAX by Serveur Process Method Week | stats sum(MAX) as Total by Server Method

And does it means that i can have multiple possible combination by changing the last stats ?
Furthermore, why the field "week" still exists in the final results even without values ? I typed fields - Week but it not works

0 Karma

woodcock
Esteemed Legend

First of all, should you really be using sum (addition) on a max value; shouldn't you be using something like avg(MAX)? In any case, I will answer your questions as-is, even though I have great concern that your approach seems to be fundamentally flawed.

1: Yes, to do an additional level of breakout, just add the field to the by portion of the first stats command.
2: There is a bug right now in the fields command where it cannot always remove fields. The work-around is to do a | table * first, like this:

| table * | fields - Week

Don't forget to "Accept" my answer.

0 Karma

echozero39
Engager

Thanks for your concern.
Let me make a simple explanation, the service reboot every sunday night, and when the service runs, it cumulates the number of invocation of this service, which means, the max value of the week (also probably the last one) is the total amount of this week. In such situation, if I want the whole amount, I have to sum up these maxvalues.

  1. Thank you for this tip, but anyway should it be filtered already when we use stats command.. I mean, it should only show the fields in stats
0 Karma

echozero39
Engager

Even using table and fields... There is still "Week" columne...strange

0 Karma

woodcock
Esteemed Legend

I added this to an existing bug case (this is another instance of the same bug). Don't forget to "Accept" my answer.

0 Karma

echozero39
Engager

; p, thanks again woodcock

0 Karma

woodcock
Esteemed Legend

If you completely remove this part of your search string, then the Week field will no longer be a problem:

| fieldformat Week = strftime(Week, "%d/%m/%y:%a")
0 Karma

echozero39
Engager

but, still this is a bug ?

0 Karma

woodcock
Esteemed Legend

Yes, and I have an open bug case being worked.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...