Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to get max val by time in splunk

chohye12
New Member
‎08-11-2021 12:21 AM

index="performance" sourcetype="physical_cpu"
| addtotals fieldname=CPU_SUM CPU_*
| rex mode=sed field=_raw "s/ //g"
| eval cpu_cnt=len(_raw)/5
| eval value=CPU_SUM/cpu_cnt
| stats avg(value) as avg_val ,max(value) as max_val ,min(value) as min_val by _time host
| eventstats max(value) as max_val by host
| sort -max_val
| where host="host"
OR host="host1"
OR host="host2"
OR host="host3"
OR host="host4"
| sort max_val desc
| table host,max_val,avg_val,min_val


im using upper query by get below table, but i'd like to get max_value of host at the time
how can i get the to-be table?

AS-IS
host max_val av_val min_val
host1 111 0.111 0.01111
host2 222 0.222 0.02222
host3 333 0.333 0.03333
host4 444 0.444 0.04444

TO-BE
time host max_val
2021-08-11 10:00:000 host1 111
2021-08-11 12:00:000 host2 222
2021-08-11 13:00:000 host1 333
2021-08-11 14:00:000 host3 444

Labels (7)
0 Karma
Reply

chohye12
New Member
‎08-11-2021 01:01 AM

Hi Thanks for the help.

I 'd like to get max_val at the time one of the  hosts

 

What you help result are  each host's max value at the time.

I 'd like to get the host who got biggest value at the time.

 

could you help me?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-11-2021 01:17 AM 
| bin span=1h _time
| stats max(value) as max_val by _time host
| stats max(max_val) as max_val by _time
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-11-2021 12:37 AM 
| bin span=1h _time
| stats max(value) as max_val by _time host
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...