Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question
Solved! Jump to solution

How to edit my search to get the sum of the maximum value per day for the month?

thefuzz4
Path Finder
โ€Ž04-13-2016 10:16 PM

So I have my accurite weather sensor pumping its data into Splunk. (If you want to know how I did that just ask ๐Ÿ™‚ ).

Anywho, I have this awesome dashboard that is basically like my own little weather station.

Now what I would like to do is be able to see how much precip we've had over the month.

Using some other answers I came up with this search string

index=main host=mimic* sourcetype=weather | bucket max(rain) span=day | stats sum(rain)

However, it's telling me that I've had 13" so far this month and I know that's not right. I think it's taking the sum of all of the values that are returned and going with it. I just want it to take the maximum value per day then sum all of that. Hmm I think I see my problem I need to alias the max rain.

Well tried to alias it, but now I get no results. Thank you all in advance for your help with this.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
โ€Ž04-13-2016 10:44 PM

This should work

index=main host=mimic* sourcetype=weather 
| bin _time span=1d 
| stats max(rain) as daily_rain by _time 
| stats sum(daily_rain) as monthly_rain

HTH

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
โ€Ž04-13-2016 10:44 PM

This should work

index=main host=mimic* sourcetype=weather 
| bin _time span=1d 
| stats max(rain) as daily_rain by _time 
| stats sum(daily_rain) as monthly_rain

HTH

View solution in original post

Reply
Solved! Jump to solution

thefuzz4
Path Finder
โ€Ž04-13-2016 11:01 PM

Thank you very much that worked like a champ.

0 Karma
Reply