Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to count and compare the max amount of used different devices each day by groups for a week?

lemontree1
Explorer
‎03-03-2022 04:06 AM

Hello,
I try to count and compare the max amount of used different devices each day by groups for a week with the maximal available resources.
For each day I count a different amount of used devices per related group. For a week I want to determine the max. value for each group and compare this value with a predefined max available value.
With a a query like this:

<search> | timechart span=1d dc(devicename) by groupname                       <Last 7 days>

I get a table like this

_time             Group1      Group2    Group3 ...
7.1.2022       4                  8                 1
8.1.2022       2                  3                 0
9.1.2022       6                  2                 0
...

How I tried to calculate the max value of each column (Group) and compare it with a predefined value for the group?

With timecharts I didn't success.
timechart doesn't pass the the value through a next command?

Labels (2)
Labels
0 Karma
Reply

lemontree1
Explorer
‎03-03-2022 09:08 AM

Unfortunately the max field is empty, only the groupnames comes back

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-03-2022 09:46 AM 
| bin _time span=1d
| stats dc(devicename) as dc_devicename by _time groupname
| stats max(dc_devicename) as max_dc_devicename by groupname
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-03-2022 04:18 AM

Rather than timechart, use stats

| stats max(count) as max by group
0 Karma
Reply

lemontree1
Explorer
‎03-03-2022 09:06 AM
 
Tags (2)
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...