Solved: Thruput search help

carmackd · ‎02-04-2011

I've got a search that will display max daily thruput over the last 30 days.

index="_internal" source="/*/metrics.log" per_index_thruput series="*" daysago=30 | eval gb=kb/1024/1024 | timechart sum(gb) as sumGB | stats max(sumGB) as MaxThru

The output looks like this:

MaxThru
80.0

I would like the search to include the date, but cannot figure out how to do it using | stats max()

Ideally the output would look like:

Date                      MaxThru
2/4/11 12:00:00.000 AM    80

Any suggestions would be greatly appreciated!

Thanks

Ayn · ‎02-04-2011

You could achieve what you want by using a combination of sort and head:

index="_internal" source="/*/metrics.log" per_index_thruput series="*" daysago=30 | eval gb=kb/1024/1024 | timechart sum(gb) as sumGB | sort - sumGB | head 1

View solution in original post

Ayn · ‎02-04-2011

You could achieve what you want by using a combination of sort and head:

index="_internal" source="/*/metrics.log" per_index_thruput series="*" daysago=30 | eval gb=kb/1024/1024 | timechart sum(gb) as sumGB | sort - sumGB | head 1

carmackd · ‎02-04-2011

Perfect! thanks

Thruput search help

SplunkTrust | Where Are They Now - Michael Uschmann

Admin Your Splunk Cloud, Your Way

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1