Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I keep the value of the minutes in a span=1h timechart if I want to keep only the max value of the hour.

Splunked_Kid
Explorer
‎01-27-2025 07:58 AM

Hello, I'm trying to add up the MIPS of each of the partitions per minute and then keep only the maximum MIPS per day but I'd like to display the time and minutes at which this peak arrived. How do I do it?

Here's my search:

First, I want to make the addition of the MIPS for all partition per minute.
Second, I want to keep only the max value per day of the prior addition.    

index=myindex 
| bin span=1m _time
| stats sum(MIPS) as MIPSParMinute by _time
| timechart span=1d max(MIPSParMinute) as MaxMIPSParMinute

| eval Day=strftime(_time,"%Y/%m/%d")
| eval Hour=strftime(_time,"%H:%M")
| sort 0 - MaxMIPSParMinute Day
| dedup Day
| table Day Hour MaxMIPSParMinute

Unfortunaly, in my result I loose the hour and minute of when this peak occurs in the day.  Is there a way of keeping the hours and minute value? 

Splunked_Kid_0-1737993443192.png

 

Thanks!

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎01-28-2025 12:35 AM
I would like to be able to keep the top 5 peaks per day of the last x days.

Be careful.  I suspect that you really mean to keep the top 5 peak-per-day of the last x days (based on your use of dedup Day). Something like

_timeMaxMIPSParMinute
2025-01-15 00:27:002583
2025-01-07 23:08:002129
2025-01-25 22:15:002069
2025-01-22 13:58:001222
2025-01-18 08:35:00990

Is this correct?  The basic solution is the same as @gcusello suggested, just add by Day Hour to eventstats.

 

index=myindex 
| bin span=1m _time
| stats sum(MIPS) as MIPSParMinute by _time

| eval Hour = strftime(_time, "%H"), Day = strftime(_time, "%F")
| eventstats max(MIPSParMinute) as MaxMIPSParMinute by Day Hour
| where MIPSParMinute == MaxMIPSParMinute
| sort - MaxMIPSParMinute Day
| dedup Day
| head 5

 

I will leave formating to you.

Here is an emulation you can play with and compare with real data:

 

index=_internal earliest=-25d@d latest=-0d@d
| bin span=1m _time
| stats count as MIPSParMinute by _time
``` the above emulates
index=myindex 
| bin span=1m _time
| stats sum(MIPS) as MIPSParMinute by _time
```

 

View solution in original post

Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎01-28-2025 12:35 AM
I would like to be able to keep the top 5 peaks per day of the last x days.

Be careful.  I suspect that you really mean to keep the top 5 peak-per-day of the last x days (based on your use of dedup Day). Something like

_timeMaxMIPSParMinute
2025-01-15 00:27:002583
2025-01-07 23:08:002129
2025-01-25 22:15:002069
2025-01-22 13:58:001222
2025-01-18 08:35:00990

Is this correct?  The basic solution is the same as @gcusello suggested, just add by Day Hour to eventstats.

 

index=myindex 
| bin span=1m _time
| stats sum(MIPS) as MIPSParMinute by _time

| eval Hour = strftime(_time, "%H"), Day = strftime(_time, "%F")
| eventstats max(MIPSParMinute) as MaxMIPSParMinute by Day Hour
| where MIPSParMinute == MaxMIPSParMinute
| sort - MaxMIPSParMinute Day
| dedup Day
| head 5

 

I will leave formating to you.

Here is an emulation you can play with and compare with real data:

 

index=_internal earliest=-25d@d latest=-0d@d
| bin span=1m _time
| stats count as MIPSParMinute by _time
``` the above emulates
index=myindex 
| bin span=1m _time
| stats sum(MIPS) as MIPSParMinute by _time
```

 

Reply
Solved! Jump to solution

Splunked_Kid
Explorer
‎01-28-2025 05:32 AM

Work perfectly.

Thanks!

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-28-2025 06:46 AM

Hi @Splunked_Kid ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-27-2025 08:16 AM

Hi @Splunked_Kid ,

you could try something like this:

index=myindex 
| bin span=1m _time
| stats sum(MIPS) as MIPSParMinute by _time
| eventstats max(MIPS) AS max_MIPS
| where MIPSParMinute=max_MIPS
| eval Day=strftime(_time,"%Y/%m/%d")
| eval Hour=strftime(_time,"%H:%M")
| table Day Hour MaxMIPSParMinute

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

Splunked_Kid
Explorer
‎01-27-2025 08:24 AM

Hi @gcusello ,

Thank you, this is a start. Indeed, I find the time but I only have 1 value displayed. I would like to be able to keep the top 5 peaks per day of the last x days.

Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...