Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use eventstats to get the max value after using timechart?

ssaenger
Communicator
‎04-25-2016 07:02 AM

Hi All,

I am trying to gather transaction per second on my 4 servers for each day over a week.
I would like to sample every hour, but display the max value for that day.
However, the result I get is just the max value applied to each day.

When I table the values individually, I get the correct (ie different values), so I can see the total transaction for the hour. It's just when I introduce eventstats where I then get then same value entered for each hour.

index=int_rad sourcetype=int_rad_log start OR access OR stop | timechart count span=1h by host | eval TPS_rad1=(radhostp01/60)/60| eval TPS_rad2=(radhostp02/60)/60| eval TPS_rad3=(radhostp03/60)/60| eval TPS_rad4=(radhostp04/60)/60 | eventstats max(TPS_rad1) AS TPS_RAD1| eventstats max(TPS_rad2) AS TPS_RAD2 | eventstats max(TPS_rad3) AS TPS_RAD3| eventstats max(TPS_rad4) AS TPS_RAD4 |rename _time AS DATE| eval DATE=strftime(DATE, "%a %b %e") | table DATE TPS_RAD1,TPS_RAD2, TPS_RAD3, TPS_RAD4

DATE          TPS_RAD1    TPS_RAD2   TPS_RAD3     TPS_RAD4
Sun Apr 24  175.821238  84.812951   183.823877  24.492315
Sat Apr 23  175.821238  84.812951   183.823877  24.492315
Fri Apr 22  175.821238  84.812951   183.823877  24.492315
Thu Apr 21  175.821238  84.812951   183.823877  24.492315
Wed Apr 20  175.821238  84.812951   183.823877  24.492315
Tue Apr 19  175.821238  84.812951   183.823877  24.492315
Mon Apr 18  175.821238  84.812951   183.823877  24.49231

thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-25-2016 11:41 AM

You're missing the groupby clause in the eventstats. With no groupby, the result is just one row/one column which will repeated for all. What you're trying to achieve can be achieved by this.

index=int_rad sourcetype=int_rad_log start OR access OR stop | timechart count span=1h by host | eval TPS_rad1=(radhostp01/60)/60| eval TPS_rad2=(radhostp02/60)/60| eval TPS_rad3=(radhostp03/60)/60| eval TPS_rad4=(radhostp04/60)/60 | timechart span=1d max(TPS_RA*) as TPS_RA* | eval Date=strftime(_time,"%a %b %e") | table Date TPS_RAD*

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-25-2016 11:41 AM

You're missing the groupby clause in the eventstats. With no groupby, the result is just one row/one column which will repeated for all. What you're trying to achieve can be achieved by this.

index=int_rad sourcetype=int_rad_log start OR access OR stop | timechart count span=1h by host | eval TPS_rad1=(radhostp01/60)/60| eval TPS_rad2=(radhostp02/60)/60| eval TPS_rad3=(radhostp03/60)/60| eval TPS_rad4=(radhostp04/60)/60 | timechart span=1d max(TPS_RA*) as TPS_RA* | eval Date=strftime(_time,"%a %b %e") | table Date TPS_RAD*
Reply
Solved! Jump to solution

ssaenger
Communicator
‎04-28-2016 12:06 AM

thanks somesoni2,

this worked a treat!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top