Solved: Re: Timechart results, max value for time

astatrial · ‎07-13-2019

Hi all,

I am counting distinct values of destinations with timechart (span=1h).
I am trying to take those values and find the max value per hour, as follows:

Original: 
_time    dest1       dest2           dest3
06:00      3           0               1
07:00      6           2               9 
08:00      0           3               7
 ...

Result: 
_time    max 
06:00     3                 
07:00     9                
08:00     7

*This is just an example, there are more dests and more hours.

Can anyone please assist me with this ?

Thanks!

renjith_nair · ‎07-14-2019

@astatrial ,

Try adding this to end of your search

|eval max=0
|foreach * [eval max=if(max < <<FIELD>>,<<FIELD>>,max)]

OR below if you do not want destination fields in your output

|untable _time,dest,count
|stats max(count) as c by _time

Happy Splunking!

View solution in original post

renjith_nair · ‎07-14-2019

@astatrial ,

Try adding this to end of your search

|eval max=0
|foreach * [eval max=if(max < <<FIELD>>,<<FIELD>>,max)]

OR below if you do not want destination fields in your output

|untable _time,dest,count
|stats max(count) as c by _time

Happy Splunking!

astatrial · ‎07-14-2019

First option didn't work, but the second option worked.

Thanks.

renjith_nair · ‎07-14-2019

@astatrial ,
First option also should work. Did you get any error message? Please note that , you have to use that search as it is. i.e. <<FIELD>> should be there as it is , dont replace it with your field names

Happy Splunking!

astatrial · ‎07-14-2019

Yes, i know. There was no error, i know it is possible to fix it to get the result but the second option did the job.

Timechart results, max value for time

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life