- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to fetch relative fields out of timechart ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to fetch relative fields out of timechart result based on Max(column) ?
I have requirement where in i have to display in a timerange, what is the peak number of request per min and corresponding max response time during that min
Below is the query which gives me the for a span 1 min what was the count of thread and max response time for the selected timerange
host=test, index=prod | timechart count(R) as ThreadCount, max(response_time) as ResponseTime by host_type
In above result i would like to get what was the peak numbr of request the host_type was able to handle and what was the maximum response time when it was handling the peak request. something similar to below,
host=test, index=prod | timechart count(R) as ThreadCount, max(response_time) as ResponseTime by host_type|streamstats max(ThreadCount) as MaxThreadCount by host_type|sort +ThreadCount |stats first(ResponseTime) as CorrespondingResponseTime |where ThreadCount=MaxThreadCount|table MaxThreadCount, CorrespondingResponseTime
I am pretty sure something wrong in my query. Could you please help me in getting the peak number of request the host_type was able to handle and what was the maximum response time when it was handling the peak request.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is what you asked for
host=test, index=prod
| bin _time span=1m
| stats count(R) as ThreadCount, max(response_time) as ResponseTime by host_type _time
| eventstats max(ThreadCount) as MaxThreadCount by host_type
| where ThreadCount = MaxThreadCount
However, I'd probably do something more like this...
host=test, index=prod
| bin _time span=1m
| stats count(R) as ThreadCount, max(response_time) as ResponseMax avg(response_time) as ResponseAvg by host_type _time
| eventstats perc90(ThreadCount) as p90Count by host_type
| where ThreadCount>=p90Count
Then, you can chew that up in various ways based upon what the shape of the results are.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you please provide the log and output sample you need for our better understanding
Also please try this query. i dont know whether its your requirement
host=test, index=prod | timechart count(R) as ThreadCount, max(response_time) as ResponseTime by host_type
| appendcols [ search host=test, index=prod | timechart count(R) as ThreadCount,max(ThreadCount) as MaxThreadCount by host_type ] | table ThreadCount ResponseTime MaxThreadCount
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
