Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

find max of averaged field over a month of daily data

dang
Path Finder
‎03-07-2012 01:26 PM

I've got a very basic query which computes an average of some daily attempts to do something like this:

index=monitoring | timechart span=1d sum(done) as Success sum(try) as Attempt | eval Percent=round(Success*100/Attempt,2) | convert ctime(_time) as Date timeformat="%d %B" | fields - _time | fields Date Percent

I'm unclear how I could find the day with the highest value of "Percent" over a month's worth of daily valules. Would I need to create a summary index to handle this?

Tags (3)
0 Karma
Reply

lguinn2
Legend
‎03-07-2012 06:34 PM

No summary index needed for this - try this instead

index=monitoring | eval Date =strftime(_time,"%d %B"  )  | 
stats sum(done) as Success sum(try) as Attempt  by Date | 
eval Percent=round(Success*100/Attempt,2) |
eventstats max(Percent) as maxPercent |
where Percent = maxPercent |
fields - maxPercent
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Search APIを使えば調査過程が残せます

   このゲストブログは、JCOM株式会社の情報セキュリティ本部・専任部長である渡辺慎太郎氏によって執筆されました。 Note: This article is published in both Japanese ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...