Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I keep the value of the minutes in a span=1h timechart if I want to keep only the max value of the hour.

Splunked_Kid
Explorer
‎01-27-2025 07:58 AM

Hello, I'm trying to add up the MIPS of each of the partitions per minute and then keep only the maximum MIPS per day but I'd like to display the time and minutes at which this peak arrived. How do I do it?

Here's my search:

First, I want to make the addition of the MIPS for all partition per minute.
Second, I want to keep only the max value per day of the prior addition.    

index=myindex 
| bin span=1m _time
| stats sum(MIPS) as MIPSParMinute by _time
| timechart span=1d max(MIPSParMinute) as MaxMIPSParMinute

| eval Day=strftime(_time,"%Y/%m/%d")
| eval Hour=strftime(_time,"%H:%M")
| sort 0 - MaxMIPSParMinute Day
| dedup Day
| table Day Hour MaxMIPSParMinute

Unfortunaly, in my result I loose the hour and minute of when this peak occurs in the day.  Is there a way of keeping the hours and minute value? 

Splunked_Kid_0-1737993443192.png

 

Thanks!

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎01-28-2025 12:35 AM
I would like to be able to keep the top 5 peaks per day of the last x days.

Be careful.  I suspect that you really mean to keep the top 5 peak-per-day of the last x days (based on your use of dedup Day). Something like

_timeMaxMIPSParMinute
2025-01-15 00:27:002583
2025-01-07 23:08:002129
2025-01-25 22:15:002069
2025-01-22 13:58:001222
2025-01-18 08:35:00990

Is this correct?  The basic solution is the same as @gcusello suggested, just add by Day Hour to eventstats.

 

index=myindex 
| bin span=1m _time
| stats sum(MIPS) as MIPSParMinute by _time

| eval Hour = strftime(_time, "%H"), Day = strftime(_time, "%F")
| eventstats max(MIPSParMinute) as MaxMIPSParMinute by Day Hour
| where MIPSParMinute == MaxMIPSParMinute
| sort - MaxMIPSParMinute Day
| dedup Day
| head 5

 

I will leave formating to you.

Here is an emulation you can play with and compare with real data:

 

index=_internal earliest=-25d@d latest=-0d@d
| bin span=1m _time
| stats count as MIPSParMinute by _time
``` the above emulates
index=myindex 
| bin span=1m _time
| stats sum(MIPS) as MIPSParMinute by _time
```

 

View solution in original post

Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎01-28-2025 12:35 AM
I would like to be able to keep the top 5 peaks per day of the last x days.

Be careful.  I suspect that you really mean to keep the top 5 peak-per-day of the last x days (based on your use of dedup Day). Something like

_timeMaxMIPSParMinute
2025-01-15 00:27:002583
2025-01-07 23:08:002129
2025-01-25 22:15:002069
2025-01-22 13:58:001222
2025-01-18 08:35:00990

Is this correct?  The basic solution is the same as @gcusello suggested, just add by Day Hour to eventstats.

 

index=myindex 
| bin span=1m _time
| stats sum(MIPS) as MIPSParMinute by _time

| eval Hour = strftime(_time, "%H"), Day = strftime(_time, "%F")
| eventstats max(MIPSParMinute) as MaxMIPSParMinute by Day Hour
| where MIPSParMinute == MaxMIPSParMinute
| sort - MaxMIPSParMinute Day
| dedup Day
| head 5

 

I will leave formating to you.

Here is an emulation you can play with and compare with real data:

 

index=_internal earliest=-25d@d latest=-0d@d
| bin span=1m _time
| stats count as MIPSParMinute by _time
``` the above emulates
index=myindex 
| bin span=1m _time
| stats sum(MIPS) as MIPSParMinute by _time
```

 

Reply
Solved! Jump to solution

Splunked_Kid
Explorer
‎01-28-2025 05:32 AM

Work perfectly.

Thanks!

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-28-2025 06:46 AM

Hi @Splunked_Kid ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-27-2025 08:16 AM

Hi @Splunked_Kid ,

you could try something like this:

index=myindex 
| bin span=1m _time
| stats sum(MIPS) as MIPSParMinute by _time
| eventstats max(MIPS) AS max_MIPS
| where MIPSParMinute=max_MIPS
| eval Day=strftime(_time,"%Y/%m/%d")
| eval Hour=strftime(_time,"%H:%M")
| table Day Hour MaxMIPSParMinute

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

Splunked_Kid
Explorer
‎01-27-2025 08:24 AM

Hi @gcusello ,

Thank you, this is a start. Indeed, I find the time but I only have 1 value displayed. I would like to be able to keep the top 5 peaks per day of the last x days.

Thanks!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...