Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Max of Distinct Count

pontorito
Explorer
‎06-27-2014 07:44 AM

I am trying to get a distinct count of two concatenated numbers and then get the max of that distinct count over a time period. My current search works up until the last pipe. I can get the distinct count but not the max of the distinct count. Any help is appreciated!

index=x heartbeat AssetType=Linear
|bucket span=1m _time | eval DistinctSession=XDI.AssetID
| timechart span=1m dc(DistinctSession) as ConcurrentSession by DeviceType
| timechart span=1d max(ConcurrentSession) by DeviceType

0 Karma
Reply

somesoni2
Revered Legend
‎07-01-2014 08:48 AM

Give this a try

index=x heartbeat AssetType=Linear |bucket span=1m _time | eval DistinctSession=XDI.AssetID | timechart span=1m dc(DistinctSession) as ConcurrentSession by DeviceType | timechart span=1d max(*) by *
0 Karma
Reply

Ledion_Bitincka
Splunk Employee
Splunk Employee
‎06-27-2014 09:25 AM

Can you describe what you want the timechart to look like? I'd guess there will be two series: one showing the distinct count, hourly and another showing the max at the daily granularity?

0 Karma
Reply

pontorito
Explorer
‎07-01-2014 08:38 AM

I'm trying to distinct count per minute, and then I want the max of those distinct counts per day. Basically I want one number per day - the max value of those per minute counts. A little confusing, I know. 🙂

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎06-27-2014 08:18 AM

I'd guess the first timechart assigns one column for each value of DeviceType, so the second timechart doesn't find any column named DeviceType. Try this instead:

index=x heartbeat AssetType=Linear | rename XDI.AssetID as  DistinctSession
| bucket span=1m _time | stats dc(DistinctSession) as ConcurrentSession by _time DeviceType
| timechart span=1d max(ConcurrentSession) by DeviceType
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎06-27-2014 08:49 AM

Do the values look right when you leave off the timechart?

index=x heartbeat AssetType=Linear | rename XDI.AssetID as  DistinctSession
| bucket span=1m _time | stats dc(DistinctSession) as ConcurrentSession by _time DeviceType
0 Karma
Reply

pontorito
Explorer
‎06-27-2014 08:38 AM

this is close...the DeviceType field is now showing up but I still can't get a max number. For some reason the dc isn't being pulled into the timechart function to compute a max

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...