Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I get max number of hours without events for all indexes, myindex=* ?

vl951f
Path Finder
‎05-25-2021 10:45 AM

I have the summary index to record hourly event count for all device (de_count). I have the following search to get max number of hours without events for myindex=router:

myindex=router

| bucket _time span=1h  | stats sum(de_count) as event_count by _time  (get hourly event count by _time)

| search event_count!=0 | delta _time as mydelta ( get max number of hours without events)

| eval number_of_zeros=floor(mydelta/3600.00)-1

| stats max(number_of_zeros)

| rename "max(number_of_zeros)" as maxgap

| table myindex maxgap

 How can I get max number of hours without events for all indexes, myindex=* ?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vl951f
Path Finder
‎05-28-2021 02:54 PM

Got it working by changing "by _time,myindex" to "by myindex,_time".

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-25-2021 11:05 AM

Have you tried adding by index to the stats commands?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

vl951f
Path Finder
‎05-25-2021 11:12 AM

I tried the following. It didn't work. Looks like it put all results in one line.  I only got the result for one myindex, and not showing myindex in the table.

myindex=router

| bucket _time span=1h  | stats sum(de_count) as event_count by _time,myindex  (get hourly event count by _time)

| search event_count!=0 | delta _time as mydelta ( get max number of hours without events)

| eval number_of_zeros=floor(mydelta/3600.00)-1

| stats max(number_of_zeros) by myindex

| rename "max(number_of_zeros)" as maxgap

| table myindex maxgap

0 Karma
Reply
Solved! Jump to solution

vl951f
Path Finder
‎05-25-2021 11:15 AM

I tried the following search, didn't work

myindex=*

| bucket _time span=1h  | stats sum(de_count) as event_count by _time,myindex  (get hourly event count by _time)

| search event_count!=0 | delta _time as mydelta ( get max number of hours without events)

| eval number_of_zeros=floor(mydelta/3600.00)-1

| stats max(number_of_zeros) by myindex

| rename "max(number_of_zeros)" as maxgap

| table myindex maxgap

0 Karma
Reply
Solved! Jump to solution
Solution

vl951f
Path Finder
‎05-28-2021 02:54 PM

Got it working by changing "by _time,myindex" to "by myindex,_time".

0 Karma
Reply
Get Updates on the Splunk Community!

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...