How to display maximum power usage in last 24 hour...

geetanjali · ‎05-16-2011

Hi,
i have my results :

Host | max(usage)

ABC | 100

xyz | 200

I want to add new column in table with max(usage) in last 24 hours by host.

| Max usage (last 24 hours)

| 90

| 200

MarioM · ‎05-16-2011

did you try join?

| join [ search <yoursearch> earliest=-24h | stats max(usage) by host ]

geetanjali · ‎05-17-2011

My initial search is for max consumption for entire log. But in subsearch, want maximum comsumption in last 24 hours.

Host | max(usage) | Max usage (last 24 hours)

ABC | 100 | 90

xyz | 200 | 90

MarioM · ‎05-17-2011

your initial search is same as you subsearch then subsearch is not needed,this should be enough:

index="power" sourcetype="power_usage" earliest=-24h | chart max(Power_consumption) over host

geetanjali · ‎05-17-2011

Hi,
I am writing following query :

index="power" sourcetype="power_usage" | join [ search index="power" sourcetype="power_usage" earliest=-24h | table Power_consumption by host ]| chart max(Power_consumption) over host

Its again giving following error:-

[subsearch]: Your timerange was substituted based on your search string

MarioM · ‎05-17-2011

what is timerange of your initial search? just add the corresponding earliest= to this initial search too.

geetanjali · ‎05-16-2011

Hi,
Thanks for the solution. I have implemented this in my query. its giving following error :

[subsearch]: Your timerange was substituted based on your search string

How to display maximum power usage in last 24 hours in a table

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?

How to display maximum power usage in last 24 hours in a table

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine