Splunk Search

Need help on finding daily hourly max for a month for a timechart

payalgarg27
Explorer

Hi All,

I am pretty new to splunk and trying to figure out a splunk search query. I am extracting a monthly report of hourly volume of some services.

I used following query:
index=myIndex sourcetype=mysrctype | timechart span=1h count by myapps

This gives me result in following format:

_time app1 app2 app3 app4
Date1Hr1 72 774 0 0
Date1Hr2 34 234 0 0
Date1Hr3 72 560 0
.
.
.
.
Date1Hr24 72 560 0 89
Date2Hr1 72 560 0 87
Date2Hr2 72 560 0 876
Date2Hr3 72 560 0 87
.
.
.
Date31Hr24 72 560 0 76

Question 1: How can I get Daily Max for all the applications for all 30 days?
I tried
index=myIndex sourcetype=mysrctype | timechart span=1h count by myapps | stats max(*) as *
But this gives me Max of all daily values for all 30 days. I am not able to get a "Daily" max using timechart.

Question2: How can I add a linebreak after each day in timechart?

Appreciate your help!!

Thanks,
Payal

Tags (2)
0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

If you want to understand exactly what you are doing, and be able to answer your own questions with flexible strategies, then you are better off doing your own calculations, rather than just letting timechart do the work. Feed the results into timechart at the very end, after you've collected the info.

(Caveat... if you want to be able to change the time scale to investigate things, then you have to chunk the data to the lowest level you will want to get down to.)

index=myIndex sourcetype=mysrctype
| bin _time as Hour span=1h
| stats count by myapps Hour

Now you have an hourly count for each value of myapps for each hour

| bin Hour as Day span=1d  
| stats max(count) as maxcount by myapps Day

Now you have the highest hourly count for each value of myapps for each Day, so let's display it...

| rename Day as _time
| timechart span=1d max(maxcount) as maxcount by myapps

That uses timechart to display the highest value for each day, as we have calculated it.


Now that you see all the above steps, here's a compressed way that accomplishes the same thing, letting timechart do the final calculation step...

index=myIndex sourcetype=mysrctype
| bin _time span=1h
| stats count by myapps _time
| timechart span=1d max(count) as maxcount by myapps

View solution in original post

DalJeanis
SplunkTrust
SplunkTrust

If you want to understand exactly what you are doing, and be able to answer your own questions with flexible strategies, then you are better off doing your own calculations, rather than just letting timechart do the work. Feed the results into timechart at the very end, after you've collected the info.

(Caveat... if you want to be able to change the time scale to investigate things, then you have to chunk the data to the lowest level you will want to get down to.)

index=myIndex sourcetype=mysrctype
| bin _time as Hour span=1h
| stats count by myapps Hour

Now you have an hourly count for each value of myapps for each hour

| bin Hour as Day span=1d  
| stats max(count) as maxcount by myapps Day

Now you have the highest hourly count for each value of myapps for each Day, so let's display it...

| rename Day as _time
| timechart span=1d max(maxcount) as maxcount by myapps

That uses timechart to display the highest value for each day, as we have calculated it.


Now that you see all the above steps, here's a compressed way that accomplishes the same thing, letting timechart do the final calculation step...

index=myIndex sourcetype=mysrctype
| bin _time span=1h
| stats count by myapps _time
| timechart span=1d max(count) as maxcount by myapps

somesoni2
SplunkTrust
SplunkTrust

Wonderful explanation.

payalgarg27
Explorer

Thanks a lot for your help. Its explained in a wonderful way.. I appreciate it a lot and hope to help others in the same way as you just did.. 🙂

SplunkersRock
Path Finder

index=myIndex sourcetype=mysrctype | timechart max(Time)

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...