Splunk Search

Timechart peaks - replace sum with max

rowancoleman
Explorer

Hi all,

I'm looking to create a timechart from a very large dataset. I just want to count the occurrence of a custom value, then limit to the top 10 series which have the highest maximum within the time range. A regular timechart seems to average out the series I'm interested in because it only appears for a short time, even though it has a much higher peak value.

The docs for timechart seem to describe my issue under the "where clause" description:

Description: Specifies the criteria for including particular data series when a field is given in the tc-by-clause. The most common use of this option is to select for spikes rather than overall mass of distribution in series selection. The default value finds the top ten series by area under the curve. Alternately one could replace sum with max to find the series with the ten highest spikes.This has no relation to the where command.

I really cannot work out how I use this syntax to prefere maximums instead of sums.

Tags (1)

MuS
Legend

Hi rowancoleman,

if I get your question correct, then you can use something like this to get the max count for each attack_flow:

 | eval attack_flow = src_port + "->" + dst_ip | stats count by attack_flow, _time | timechart max(count) AS max by attack_flow useother=f usenull=f

the stats will take care of the counting for each attack_flow and the timechart will display the max for each attack_flow.

hope this helps ...

cheers, MuS

0 Karma

MuS
Legend

take a look at this example:
index=_internal source=*metrics.log series=splunkd* earliest=-24h@h | bucket _time span=1m | stats count as c_series by series, _time | timechart max(c_series) AS max min(c_series) AS min by series useother=f usenull=f

this will search the last 24 hours on index _internal for splunkd* events in metrics.log, create one minute buckets, count each occurrence of series in those buckets and displays a timechart of max and min count for each series.
Adapt it to match your search and needs and your ready to go.

0 Karma

amomchilov
Explorer

I tried to adapt your comment to fit my case, but it doesn't seem quite right: https://i.imgur.com/GjvilZn.png It seems like a very similar set of series were picked, but with the Y values squished by about 1/5. I posted a related question, could you please take a look if you're free? https://answers.splunk.com/answers/815185

0 Karma

rowancoleman
Explorer

Hi,

That doesn't seem to do it, I get odd results, and it runs very very slowly.

0 Karma

rowancoleman
Explorer

I can give an example of a search, but this is more of a general query.

  • | eval attack_flow = src_port + "->" + dst_ip | timechart count by attack_flow useother=false usenull=false

This returns the top 10 'attack_flow' over a time range. But the top 10 is based on the sum count, rather than the max count.

0 Karma

somesoni2
Revered Legend

can you post your search here.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...