Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Keep track of max count.

sandeepmakkena
Contributor
‎09-28-2019 11:04 AM

Mysesarch
| stats avg(time) as "median", max(time) as MaxMedian max(time99) as "Max99th", max(time999) as Max999th by host

I have something like this, I also want a count of max(99th) by host in past 1hr.

Just make it clear, let say I'm running search for 1hr, I want to calculate max(99th) value every 10mins and display its count by host but, I still want my stats to for whole 1hr.

Say we have host A, B and C
at 00:10 the max(99th) is on host-A
at 00:20 the max(99th) is on host-A
at 00:30 the max(99th) is on host-B

I want to display
host-A median MaxMedian Max99th Max999th "2 times out of 3"
host-B median MaxMedian Max99th Max999th "1 time out of 3"
host-C median MaxMedian Max99th Max999th "0 times out of 3"
Thanks for your time.

0 Karma
Reply

tjago11
Communicator
‎10-01-2019 07:59 AM

oops, sorry.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...