Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to fetch relative fields out of timechart result based on Max(column) ?

sangs8788
Communicator
‎06-12-2018 01:40 AM

I have requirement where in i have to display in a timerange, what is the peak number of request per min and corresponding max response time during that min

Below is the query which gives me the for a span 1 min what was the count of thread and max response time for the selected timerange

host=test, index=prod | timechart  count(R) as ThreadCount, max(response_time) as ResponseTime by host_type

In above result i would like to get what was the peak numbr of request the host_type was able to handle and what was the maximum response time when it was handling the peak request. something similar to below, 

host=test, index=prod | timechart  count(R) as ThreadCount, max(response_time) as ResponseTime by host_type|streamstats max(ThreadCount) as MaxThreadCount by host_type|sort +ThreadCount |stats first(ResponseTime) as CorrespondingResponseTime |where ThreadCount=MaxThreadCount|table MaxThreadCount, CorrespondingResponseTime

I am pretty sure something wrong in my query. Could you please help me in getting the peak number of request the host_type was able to handle and what was the maximum response time when it was handling the peak request.

Tags (1)
0 Karma
Reply

DalJeanis
Legend
‎06-12-2018 04:07 PM

This is what you asked for 

 host=test, index=prod 
| bin _time span=1m
| stats count(R) as ThreadCount, max(response_time) as ResponseTime by host_type _time
| eventstats max(ThreadCount) as MaxThreadCount by host_type
| where ThreadCount = MaxThreadCount

However, I'd probably do something more like this...

 host=test, index=prod 
| bin _time span=1m
| stats count(R) as ThreadCount, max(response_time) as ResponseMax avg(response_time) as ResponseAvg by host_type _time
| eventstats perc90(ThreadCount) as p90Count by host_type
| where ThreadCount>=p90Count

Then, you can chew that up in various ways based upon what the shape of the results are.

0 Karma
Reply

logloganathan
Motivator
‎06-12-2018 02:21 AM

Could you please provide the log and output sample you need for our better understanding

Also please try this query. i dont know whether its your requirement
host=test, index=prod | timechart count(R) as ThreadCount, max(response_time) as ResponseTime by host_type
| appendcols [ search host=test, index=prod | timechart count(R) as ThreadCount,max(ThreadCount) as MaxThreadCount by host_type ] | table ThreadCount ResponseTime MaxThreadCount

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Heading to your first .Conf? You’re in for an unforgettable ride — learning, networking, swag collecting, ...

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Calling all Splunk developers, custom SPL builders, dashboarders, and Splunkbase app creators – the Builder ...

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

Are you ready to take your threat hunting skills to the next level? As Splunk community members, you know the ...
Top