Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use eventstats to get the max value after using timechart?

ssaenger
Communicator
‎04-25-2016 07:02 AM

Hi All,

I am trying to gather transaction per second on my 4 servers for each day over a week.
I would like to sample every hour, but display the max value for that day.
However, the result I get is just the max value applied to each day.

When I table the values individually, I get the correct (ie different values), so I can see the total transaction for the hour. It's just when I introduce eventstats where I then get then same value entered for each hour.

index=int_rad sourcetype=int_rad_log start OR access OR stop | timechart count span=1h by host | eval TPS_rad1=(radhostp01/60)/60| eval TPS_rad2=(radhostp02/60)/60| eval TPS_rad3=(radhostp03/60)/60| eval TPS_rad4=(radhostp04/60)/60 | eventstats max(TPS_rad1) AS TPS_RAD1| eventstats max(TPS_rad2) AS TPS_RAD2 | eventstats max(TPS_rad3) AS TPS_RAD3| eventstats max(TPS_rad4) AS TPS_RAD4 |rename _time AS DATE| eval DATE=strftime(DATE, "%a %b %e") | table DATE TPS_RAD1,TPS_RAD2, TPS_RAD3, TPS_RAD4

DATE          TPS_RAD1    TPS_RAD2   TPS_RAD3     TPS_RAD4
Sun Apr 24  175.821238  84.812951   183.823877  24.492315
Sat Apr 23  175.821238  84.812951   183.823877  24.492315
Fri Apr 22  175.821238  84.812951   183.823877  24.492315
Thu Apr 21  175.821238  84.812951   183.823877  24.492315
Wed Apr 20  175.821238  84.812951   183.823877  24.492315
Tue Apr 19  175.821238  84.812951   183.823877  24.492315
Mon Apr 18  175.821238  84.812951   183.823877  24.49231

thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-25-2016 11:41 AM

You're missing the groupby clause in the eventstats. With no groupby, the result is just one row/one column which will repeated for all. What you're trying to achieve can be achieved by this.

index=int_rad sourcetype=int_rad_log start OR access OR stop | timechart count span=1h by host | eval TPS_rad1=(radhostp01/60)/60| eval TPS_rad2=(radhostp02/60)/60| eval TPS_rad3=(radhostp03/60)/60| eval TPS_rad4=(radhostp04/60)/60 | timechart span=1d max(TPS_RA*) as TPS_RA* | eval Date=strftime(_time,"%a %b %e") | table Date TPS_RAD*

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-25-2016 11:41 AM

You're missing the groupby clause in the eventstats. With no groupby, the result is just one row/one column which will repeated for all. What you're trying to achieve can be achieved by this.

index=int_rad sourcetype=int_rad_log start OR access OR stop | timechart count span=1h by host | eval TPS_rad1=(radhostp01/60)/60| eval TPS_rad2=(radhostp02/60)/60| eval TPS_rad3=(radhostp03/60)/60| eval TPS_rad4=(radhostp04/60)/60 | timechart span=1d max(TPS_RA*) as TPS_RA* | eval Date=strftime(_time,"%a %b %e") | table Date TPS_RAD*
Reply
Solved! Jump to solution

ssaenger
Communicator
‎04-28-2016 12:06 AM

thanks somesoni2,

this worked a treat!

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...