How to count and compare the max amount of used di...

lemontree1 · ‎03-03-2022

Hello,
I try to count and compare the max amount of used different devices each day by groups for a week with the maximal available resources.
For each day I count a different amount of used devices per related group. For a week I want to determine the max. value for each group and compare this value with a predefined max available value.
With a a query like this:

<search> | timechart span=1d dc(devicename) by groupname <Last 7 days>

I get a table like this

_time             Group1      Group2    Group3 ...
7.1.2022 4                  8                 1
8.1.2022 2                  3 0
9.1.2022       6                  2                 0
...

How I tried to calculate the max value of each column (Group) and compare it with a predefined value for the group?

With timecharts I didn't success.
timechart doesn't pass the the value through a next command?

lemontree1 · ‎03-03-2022

Unfortunately the max field is empty, only the groupnames comes back

ITWhisperer · ‎03-03-2022

| bin _time span=1d
| stats dc(devicename) as dc_devicename by _time groupname
| stats max(dc_devicename) as max_dc_devicename by groupname

ITWhisperer · ‎03-03-2022

Rather than timechart, use stats

| stats max(count) as max by group

lemontree1 · ‎03-03-2022

How to count and compare the max amount of used different devices each day by groups for a week?

stats

timechart

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life