I've got a very basic query which computes an average of some daily attempts to do something like this:
index=monitoring | timechart span=1d sum(done) as Success sum(try) as Attempt | eval Percent=round(Success*100/Attempt,2) | convert ctime(_time) as Date timeformat="%d %B" | fields - _time | fields Date Percent
I'm unclear how I could find the day with the highest value of "Percent" over a month's worth of daily valules. Would I need to create a summary index to handle this?
You can find the single highest day by sorting by Percent, descending, and taking the first row:
index=monitoring
| timechart span=1d sum(done) as Success sum(try) as Attempt
| eval Percent=round(Success*100/Attempt,2)
| convert ctime(_time) as Date timeformat="%d %B"
| fields - _time
| fields Date Percent
| sort - Percent
| head 1
Alternately you can tag the highest row using eventstats and eval:
index=monitoring
| timechart span=1d sum(done) as Success sum(try) as Attempt
| eval Percent=round(Success*100/Attempt,2)
| convert ctime(_time) as Date timeformat="%d %B"
| fields - _time
| fields Date Percent
| eventstats max(Percent) as max_Percent
| eval is_highest = if(Percent == max_Percent, "yes", "no")
You can find the single highest day by sorting by Percent, descending, and taking the first row:
index=monitoring
| timechart span=1d sum(done) as Success sum(try) as Attempt
| eval Percent=round(Success*100/Attempt,2)
| convert ctime(_time) as Date timeformat="%d %B"
| fields - _time
| fields Date Percent
| sort - Percent
| head 1
Alternately you can tag the highest row using eventstats and eval:
index=monitoring
| timechart span=1d sum(done) as Success sum(try) as Attempt
| eval Percent=round(Success*100/Attempt,2)
| convert ctime(_time) as Date timeformat="%d %B"
| fields - _time
| fields Date Percent
| eventstats max(Percent) as max_Percent
| eval is_highest = if(Percent == max_Percent, "yes", "no")
Thanks, Stephen. I'll probably use the first example, but the second one will help me learn new stuff about streamstats.