Splunk Search
Highlighted

How to display maximum power usage in last 24 hours in a table

Path Finder

Hi,
i have my results :

Host | max(usage)

ABC | 100

xyz | 200

I want to add new column in table with max(usage) in last 24 hours by host.

| Max usage (last 24 hours)

| 90

| 200

Tags (1)
0 Karma
Highlighted

Re: How to display maximum power usage in last 24 hours in a table

Motivator

did you try join?

| join [ search <yoursearch> earliest=-24h | stats max(usage) by host ] 
0 Karma
Highlighted

Re: How to display maximum power usage in last 24 hours in a table

Path Finder

Hi,
Thanks for the solution. I have implemented this in my query. its giving following error :

[subsearch]: Your timerange was substituted based on your search string

0 Karma
Highlighted

Re: How to display maximum power usage in last 24 hours in a table

Motivator

what is timerange of your initial search? just add the corresponding earliest= to this initial search too.

0 Karma
Highlighted

Re: How to display maximum power usage in last 24 hours in a table

Path Finder

Hi,
I am writing following query :

index="power" sourcetype="powerusage" | join [ search index="power" sourcetype="powerusage" earliest=-24h | table Powerconsumption by host ]| chart max(Powerconsumption) over host

Its again giving following error:-

[subsearch]: Your timerange was substituted based on your search string

0 Karma
Highlighted

Re: How to display maximum power usage in last 24 hours in a table

Motivator

your initial search is same as you subsearch then subsearch is not needed,this should be enough:

index="power" sourcetype="powerusage" earliest=-24h | chart max(Powerconsumption) over host

0 Karma
Highlighted

Re: How to display maximum power usage in last 24 hours in a table

Path Finder

My initial search is for max consumption for entire log. But in subsearch, want maximum comsumption in last 24 hours.

Host | max(usage) | Max usage (last 24 hours)

ABC | 100 | 90

xyz | 200 | 90

0 Karma