Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

finding peak and low times from timechart

kunadkat
Explorer
‎01-02-2014 06:58 AM

I want to tabulate peak period and low periods for my web transactions. The following search works but not very efficient

index=web GET OR POST | timechart span=1h count | sort count | head 1 | append [ search index=web GET OR POST | timechart span=1h count | sort count | tail 1]

Does anybody know better search to accomplish this?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎01-02-2014 07:35 AM

Do you want to simply know what the lowest and highest values were? Or what they were and when they occurred?

If you simply want to know what the highest and lowest values were, then aelliot is absolutely correct. This search is what he suggested with the "(your search)" part included literally.

index=web GET OR POST | timechart span=1h count 
| stats max(count) as max, min(count) as min
| table min,max

Something else that might work is this:

index=web GET OR POST | timechart span=1h count 
| eventstats max(count) as high, min(count) as low
| where (count=low OR count=high)
| fields _time, count

You get the high and low, and when they occurred.

If neither of these are what you want, and if you cannot come up with something that works for you as a variation on one of these then perhaps you'll need to describe your actual request a little more verbosely.

View solution in original post

Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎01-02-2014 07:35 AM

Do you want to simply know what the lowest and highest values were? Or what they were and when they occurred?

If you simply want to know what the highest and lowest values were, then aelliot is absolutely correct. This search is what he suggested with the "(your search)" part included literally.

index=web GET OR POST | timechart span=1h count 
| stats max(count) as max, min(count) as min
| table min,max

Something else that might work is this:

index=web GET OR POST | timechart span=1h count 
| eventstats max(count) as high, min(count) as low
| where (count=low OR count=high)
| fields _time, count

You get the high and low, and when they occurred.

If neither of these are what you want, and if you cannot come up with something that works for you as a variation on one of these then perhaps you'll need to describe your actual request a little more verbosely.

Reply
Solved! Jump to solution

kunadkat
Explorer
‎01-02-2014 11:36 AM

The second search is what I am looking for and it works Thanks,

0 Karma
Reply
Solved! Jump to solution

aelliott
Motivator
‎01-02-2014 07:22 AM

There's a max, min stats functions that may help you:

(your search)
| stats max(count) AS max min(count) AS min
| table min max

This one should work pretty well as I have tested it and verified :
index=web GET OR POST | bucket _time span=1h |stats count by _time | eventstats max(count) AS max_count min(count) AS min_count by _time | timechart max(max_count),min(min_count)

and a more simplified version:
index=web GET OR POST | bucket _time span=1h |stats count by _time | timechart max(count),min(count)

since the max and min in a given hour is exactly the same

Reply
Solved! Jump to solution

aelliott
Motivator
‎01-02-2014 07:40 AM

You may find this post helpful as well (I believe dwaddle has something similar within his answer)
http://answers.splunk.com/answers/55271/report-hourly-max-count-events-per-day-over-a-month

0 Karma
Reply
Solved! Jump to solution

kunadkat
Explorer
‎01-02-2014 07:27 AM

Thanks for your quick response, but I am interested in finding Peak and low time periods and not the count values. The above search gives be max and min counts only

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...