Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to get max val by time in splunk

chohye12
New Member
‎08-11-2021 12:21 AM

index="performance" sourcetype="physical_cpu"
| addtotals fieldname=CPU_SUM CPU_*
| rex mode=sed field=_raw "s/ //g"
| eval cpu_cnt=len(_raw)/5
| eval value=CPU_SUM/cpu_cnt
| stats avg(value) as avg_val ,max(value) as max_val ,min(value) as min_val by _time host
| eventstats max(value) as max_val by host
| sort -max_val
| where host="host"
OR host="host1"
OR host="host2"
OR host="host3"
OR host="host4"
| sort max_val desc
| table host,max_val,avg_val,min_val


im using upper query by get below table, but i'd like to get max_value of host at the time
how can i get the to-be table?

AS-IS
host max_val av_val min_val
host1 111 0.111 0.01111
host2 222 0.222 0.02222
host3 333 0.333 0.03333
host4 444 0.444 0.04444

TO-BE
time host max_val
2021-08-11 10:00:000 host1 111
2021-08-11 12:00:000 host2 222
2021-08-11 13:00:000 host1 333
2021-08-11 14:00:000 host3 444

Labels (7)
0 Karma
Reply

chohye12
New Member
‎08-11-2021 01:01 AM

Hi Thanks for the help.

I 'd like to get max_val at the time one of the  hosts

 

What you help result are  each host's max value at the time.

I 'd like to get the host who got biggest value at the time.

 

could you help me?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-11-2021 01:17 AM 
| bin span=1h _time
| stats max(value) as max_val by _time host
| stats max(max_val) as max_val by _time
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-11-2021 12:37 AM 
| bin span=1h _time
| stats max(value) as max_val by _time host
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...