Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

find max of averaged field over a month of daily data

dang
Path Finder
‎03-07-2012 01:26 PM

I've got a very basic query which computes an average of some daily attempts to do something like this:

index=monitoring | timechart span=1d sum(done) as Success sum(try) as Attempt | eval Percent=round(Success*100/Attempt,2) | convert ctime(_time) as Date timeformat="%d %B" | fields - _time | fields Date Percent

I'm unclear how I could find the day with the highest value of "Percent" over a month's worth of daily valules. Would I need to create a summary index to handle this?

Tags (3)
0 Karma
Reply

lguinn2
Legend
‎03-07-2012 06:34 PM

No summary index needed for this - try this instead

index=monitoring | eval Date =strftime(_time,"%d %B"  )  | 
stats sum(done) as Success sum(try) as Attempt  by Date | 
eval Percent=round(Success*100/Attempt,2) |
eventstats max(Percent) as maxPercent |
where Percent = maxPercent |
fields - maxPercent
0 Karma
Reply
Get Updates on the Splunk Community!

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

[Puzzles] Solve, Learn, Repeat: Nested loops in Event Conversion

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Your Guide to Splunk Digital Experience Monitoring

A flawless digital experience isn't just an advantage, it's key to customer loyalty and business success. But ...