Solved: How to display the max value per day

faribole · ‎09-05-2019

My search calculate the number of events of a field per hour per day.
In my chart result I only want to see the max of each day

The result is like that

Day nb
2019-08-26 300
2019-08-27 252
2019-08-28 354
2019-08-29 458

but i would like to see the time slot in my result, like that

Day nb
2019-08-26 10:00:00 300
2019-08-27 15:00:00 252
2019-08-28 13:00:00 354
2019-08-29 11:00:00 458

How to do that ?
Thanks

DalJeanis · ‎09-05-2019

Try this -

mysearch 
| timechart span=1h  count as nb 
| eval Day=strftime(_time,"%Y/%m/%d") 
| eval Hour=strftime(_time,"%H:%M") 
| sort 0 Day - nb
| dedup Day 
| table Day Hour nb

View solution in original post

faribole · ‎09-06-2019

Thanks a lot. It's ok

DalJeanis · ‎09-05-2019

Try this -

mysearch 
| timechart span=1h  count as nb 
| eval Day=strftime(_time,"%Y/%m/%d") 
| eval Hour=strftime(_time,"%H:%M") 
| sort 0 Day - nb
| dedup Day 
| table Day Hour nb

How to display the max value per day

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Data Management Digest – November 2025

Are you a member of the Splunk Community?

How to display the max value per day

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Data Management Digest – November 2025