Splunk Search

How to use eventstats to get the max value after using timechart?

Path Finder

Hi All,

I am trying to gather transaction per second on my 4 servers for each day over a week.
I would like to sample every hour, but display the max value for that day.
However, the result I get is just the max value applied to each day.

When I table the values individually, I get the correct (ie different values), so I can see the total transaction for the hour. It's just when I introduce eventstats where I then get then same value entered for each hour.

index=int_rad sourcetype=int_rad_log start OR access OR stop | timechart count span=1h by host | eval TPS_rad1=(radhostp01/60)/60| eval TPS_rad2=(radhostp02/60)/60| eval TPS_rad3=(radhostp03/60)/60| eval TPS_rad4=(radhostp04/60)/60 | eventstats max(TPS_rad1) AS TPS_RAD1| eventstats max(TPS_rad2) AS TPS_RAD2 | eventstats max(TPS_rad3) AS TPS_RAD3| eventstats max(TPS_rad4) AS TPS_RAD4 |rename _time AS DATE| eval DATE=strftime(DATE, "%a %b %e") | table DATE TPS_RAD1,TPS_RAD2, TPS_RAD3, TPS_RAD4

DATE          TPS_RAD1    TPS_RAD2   TPS_RAD3     TPS_RAD4
Sun Apr 24  175.821238  84.812951   183.823877  24.492315
Sat Apr 23  175.821238  84.812951   183.823877  24.492315
Fri Apr 22  175.821238  84.812951   183.823877  24.492315
Thu Apr 21  175.821238  84.812951   183.823877  24.492315
Wed Apr 20  175.821238  84.812951   183.823877  24.492315
Tue Apr 19  175.821238  84.812951   183.823877  24.492315
Mon Apr 18  175.821238  84.812951   183.823877  24.49231

thanks

0 Karma
1 Solution

SplunkTrust
SplunkTrust

You're missing the groupby clause in the eventstats. With no groupby, the result is just one row/one column which will repeated for all. What you're trying to achieve can be achieved by this.

index=int_rad sourcetype=int_rad_log start OR access OR stop | timechart count span=1h by host | eval TPS_rad1=(radhostp01/60)/60| eval TPS_rad2=(radhostp02/60)/60| eval TPS_rad3=(radhostp03/60)/60| eval TPS_rad4=(radhostp04/60)/60 | timechart span=1d max(TPS_RA*) as TPS_RA* | eval Date=strftime(_time,"%a %b %e") | table Date TPS_RAD*

View solution in original post

SplunkTrust
SplunkTrust

You're missing the groupby clause in the eventstats. With no groupby, the result is just one row/one column which will repeated for all. What you're trying to achieve can be achieved by this.

index=int_rad sourcetype=int_rad_log start OR access OR stop | timechart count span=1h by host | eval TPS_rad1=(radhostp01/60)/60| eval TPS_rad2=(radhostp02/60)/60| eval TPS_rad3=(radhostp03/60)/60| eval TPS_rad4=(radhostp04/60)/60 | timechart span=1d max(TPS_RA*) as TPS_RA* | eval Date=strftime(_time,"%a %b %e") | table Date TPS_RAD*

View solution in original post

Path Finder

thanks somesoni2,

this worked a treat!

0 Karma