Splunk Search

How do I get max for all events to use in timechart 1h span?

New Member

(this may be a duplicate, as I wrote a version of this question before registering and can't find it)

I have a situation where I have a have a column of values and want to use the maximum of all events as a value for use in a timechart by 1h span. Note: I'm a newbie.

For example: I have a column with the values [0, 73, 103, 171, 119] in my timechart 1h span - for 5 hours. I want to use the max value to populate all rows of another colum - in this case 171.

I tried the something like the following snippet, which of course didn't work (or I wouldn't be writing this):

              | eval myFlag= if(like(myString, "%My Message%"), "true", "false")
              | eval maxCount = 0
              | foreach * [eval maxCount = if(myFlag="true",  maxCount + 1, 0)]
              | timechart count(eval(myFlag=="true")) as errorCount, max(maxCount) as maxErrorCount span=1h

Help appreciated!

0 Karma

Ultra Champion
| makeresults
| eval sample="0,73,103,171,119"
| makemv delim="," sample
| mvexpand sample
| streamstats count
| eval time_arg="+".count."h@h"
| eval time=relative_time(_time,time_arg)
| rename time as _time
| table _time sample count
`comment("this is sample data")`
| eval myFlag=if(count % 2 == 1,"true", "false")
| eventstats max(eval(if(myFlag=="false",sample,0))) as max_error_value, count(eval(myFlag=="false")) as error_count

Hi, all.
From the example sentence, this is the query.
However, it appears that there are other columns in the presented query.
I can't make an exact query without knowing what it is.

0 Karma


I came up with this as a solution, but there are likely quite a few:

index=whatever earliest=-3m
| timechart count span=1m
| eventstats max(count) as maxCountOverTime

This doesn't take into account any of your evals, but effectively I got 3 buckets and then the eventstats took the highest one and slapped it on all the row's values for maxCountOverTime. eventstats basically does what stats does (does aggregation by buckets) but instead of filtering down to just that result set, it goes back to the previous one and adds the newly aggregated data where applicable. Docs can be found here https://docs.splunk.com/Documentation/Splunk/7.3.2/SearchReference/Eventstats.

Let me know if this helps!

0 Karma