Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Need help to format result

Splunked_Kid
Explorer
‎01-29-2025 12:34 PM

I'm trying to add up 2 values per minute to display the max total value per hour. 

This is my search result.  As you can see the first value with the red arrow contains the maximum value at 1:44. 

Splunked_Kid_2-1738181873134.png

If I change the span for 1hour, the Total value changes.  This is not good.  The real max value is the values at 1:44 not the max value of TRX + the max value of TRX2 during the hour.  As you can see in the following exemple the Total value changes from 6594.90 to 6787.11 for 1 hour.:

Splunked_Kid_3-1738182160451.png


Is there a way to add up the 2 LPARs per minute and then display the highest values per hour without losing the LPAR value?

Labels (2)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎01-29-2025 01:17 PM

It is technically correct in what it's telling you in that the max value over the 1 hour for each of the MIPS* values is different, in that it's adding the biggest TRX in the hour + the biggest TRX2 in the hour which MAY add values from two different miniutes, whereas the first is the biggest TRX in the minute + the biggest TRX2 in the SAME minute.

If you want to add up the max values per minute then you can just stack two timechart commands, the first with span=1m to get the max per minute, then do a second timechart 

| timechart span=1h max(*) as *

which will then give you the max values in the 1h span.

0 Karma
Reply

Splunked_Kid
Explorer
‎01-29-2025 01:43 PM

Hi @bowesmana,  Thanks for your help.

Is there a way to keep the LPAR values when the Total max is reached?
As you can see in my graph, the Total curve should not be exceeded by the combination of my 3 LPARs.

How can I do that?

Splunked_Kid_0-1738186895044.png

Splunked_Kid_1-1738186915181.png

Thanks!



0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎01-29-2025 02:00 PM

If you want the Total to represent the Total of the individual MINUTE in the period, then it will always be different to the max of all the minutes in the period for each LPAR.

e.g. 

Time,TRX,TRX2,STM,Total

00:01,4,5,6,15
00.02,1,1,16,18

When this is summed over the hour it will be

00.00,4,5,16,18

and of course 18 is less than the sum of 4+5+16 - so you can't have it both ways - in your original post, you wanted the total to reflect the sum of LPAR for the biggest MINUTE, so it can't also represent the sum of the biggest DAY unless you do another addtotals to a new field which is the total for the day.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...