Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

finding peak times from timechart (Part 2)

Software-Simian
Path Finder
‎02-04-2022 02:38 AM

Hello,

i am aware that there already is a Question from way back called:

"finding peak and low times from timechart"

However in that solution i only can get max and min values overall.

 

i tried to adapt the solution for my issue. Here it goes...

I have multiple customers and want to find peaks for everyone of them. Whilst the solution:

index=web GET OR POST | timechart span=1h count 
| eventstats max(count) as high, min(count) as low
| where (count=low OR count=high)
| fields _time, count

works perfectly for overall peaks i struggle to get it flying with an "by" command for customers...so something like:

| timechart span=1hour count  by customer
| eventstats max(count) as high, min(count) as low by customer

at this point there however is no field "count" anymore

Kind regards,

Mike

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

johnhuang
Motivator
‎02-04-2022 10:34 AM

A. Either use eventstats to calculate max and filter (which was the approach you were trying).

 

 

index=web GET OR POST
| bucket _time span=1h
| stats count AS event_count by _time customer

| eventstats max(event_count) AS peak_count BY customer
| where event_count=peak_count

 

 

B. Or just sort and dedup:

 

 

index=web GET OR POST
| bucket _time span=1h
| stats count AS event_count by _time customer

| sort 0 - event_count
| dedup customer

 

 

 

 

View solution in original post

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎02-04-2022 11:37 PM 
index=web GET OR POST
| bin _time span=1h
| stats count by _time customer 
| sort customer - count
| sort first(_time) first(count) last(_time) last(count) by customer

Something  like that?

Reply
Solved! Jump to solution
Solution

johnhuang
Motivator
‎02-04-2022 10:34 AM

A. Either use eventstats to calculate max and filter (which was the approach you were trying).

 

 

index=web GET OR POST
| bucket _time span=1h
| stats count AS event_count by _time customer

| eventstats max(event_count) AS peak_count BY customer
| where event_count=peak_count

 

 

B. Or just sort and dedup:

 

 

index=web GET OR POST
| bucket _time span=1h
| stats count AS event_count by _time customer

| sort 0 - event_count
| dedup customer

 

 

 

 

Reply
Get Updates on the Splunk Community!

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...