Gudde Muergen!
I'm quite new to Splunk, so I'm having difficulties figuring out how to do this search properly.
Here's a small snippet of events:
| mc1_date |
mc1_time |
mc1_system |
mc1_catalog |
mc1_adds |
mc1_updates |
mc1_gets |
mc1_getupd |
mc1_deletes |
| 15.12.2022 |
08:05:05 |
SYSS1 |
CATALOG.MASTER.SYSS1 |
0 |
0 |
5081 |
0 |
0 |
| 14.12.2022 |
08:05:16 |
SYSS1 |
CATALOG.MASTER.SYSS1 |
0 |
0 |
5012 |
0 |
0 |
| 13.12.2022 |
10:05:12 |
SYSS1 |
CATALOG.MASTER.SYSS1 |
0 |
0 |
6719 |
0 |
0 |
| 12.12.2022 |
08:05:12 |
SYSS1 |
CATALOG.MASTER.SYSS1 |
0 |
0 |
5051 |
0 |
0 |
| 11.12.2022 |
08:05:03 |
SYSS1 |
CATALOG.MASTER.SYSS1 |
0 |
0 |
5008 |
0 |
0 |
| 10.12.2022 |
08:05:08 |
SYSS1 |
CATALOG.MASTER.SYSS1 |
0 |
0 |
5012 |
0 |
0 |
| 09.12.2022 |
14:05:16 |
SYSS1 |
CATALOG.MASTER.SYSS1 |
0 |
0 |
11387 |
0 |
0 |
The table above contains the max daily mc1_gets values for CATALOG.MASTER.SYSS1 on SYSS1 from the last 7 days.
The whole sourcetype contains hourly data with multiple systems and multiple catalogs per system.
What I need is a way to get, per catalog, per system, the standard deviation of the daily max values of mc1_gets over a span of 7 days (or more).
The output data for the table above should look something like this in the end:
| mc1_system |
mc1_catalog |
mc1_gets |
| SYSS1 |
CATALOG.MASTER.SYSS1 |
2380.05 |
Any help would be much appreciated!
Mat beschte Gréiss,
Duncan Hagen
