Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Timechart of max(variable) - get actual time of peak, instead of bin time

sperl
New Member
‎03-31-2017 08:22 AM

When I do a timechart - I get the max of my variable in the chart.

However, if I hover over the value - the time associated is the bin time of the timechart and not the actual time of the event.

i.e. for a 24 hour search
timechart max(latency) span=30m

If I had an event measuring 1500 at 10:37:45 which was the max in that bin, it will chart 1500, but it will timestamp at 10;30, the beginning of the bin.

How do I get it to show the actual event _time ?

Tags (1)
0 Karma
Reply

somesoni2
Revered Legend
‎03-31-2017 09:19 AM

Give this a try

your base search 
| eventstats max(latency) as max 
| eval MaxTimestamp=if(latency=max,_time,null())
| timechart span=30m max(latency) as maxLatency values(MaxTimestamp) as MaxTimestamp values(max) as max
| appendpipe [| dedup MaxTimestamp max | eval _time=MaxTimestamp | eval maxLatency =max ]
| table _time maxLatency | sort _time
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...