Solved: Thruput search help

carmackd · ‎02-04-2011

I've got a search that will display max daily thruput over the last 30 days.

index="_internal" source="/*/metrics.log" per_index_thruput series="*" daysago=30 | eval gb=kb/1024/1024 | timechart sum(gb) as sumGB | stats max(sumGB) as MaxThru

The output looks like this:

MaxThru
80.0

I would like the search to include the date, but cannot figure out how to do it using | stats max()

Ideally the output would look like:

Date                      MaxThru
2/4/11 12:00:00.000 AM    80

Any suggestions would be greatly appreciated!

Thanks

Ayn · ‎02-04-2011

You could achieve what you want by using a combination of sort and head:

index="_internal" source="/*/metrics.log" per_index_thruput series="*" daysago=30 | eval gb=kb/1024/1024 | timechart sum(gb) as sumGB | sort - sumGB | head 1

View solution in original post

Ayn · ‎02-04-2011

You could achieve what you want by using a combination of sort and head:

index="_internal" source="/*/metrics.log" per_index_thruput series="*" daysago=30 | eval gb=kb/1024/1024 | timechart sum(gb) as sumGB | sort - sumGB | head 1

carmackd · ‎02-04-2011

Perfect! thanks

Thruput search help

Index This | What did the zero say to the eight?

Splunk Observability Cloud's AI Assistant in Action Series: Onboarding New Hires & ...

Now Playing: Splunk Education Summer Learning Premieres

Are you a member of the Splunk Community?

Thruput search help

Index This | What did the zero say to the eight?

Splunk Observability Cloud's AI Assistant in Action Series: Onboarding New Hires & ...

Now Playing: Splunk Education Summer Learning Premieres