- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: the max time of day
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the max time of day
hello guys
I have a problem at work
index=mailog relay=10.204.0.0 I timechart span=1h count I timechart span=1d max(count)as count1 I appendcols 「search index=mailog relay=10.203.0.0 I timechart span=1h count I timechart span=1d max(count)as count2」
I get the max value of everyday but I donot get the information what time is most
like 3/16 12:00 is most how to display the information of time
plz help me
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@baoamin, you can try this, you can paste all this request in your sarch bare,
index=_internal
| timechart span=1h count
| eval day=strftime(_time,"%Y-%m-%d")
| eventstats max(count) as max by day
| where count=max
| fields _time, count
Try by this to test your request:
index=mailog relay=10.204.0.0
| timechart span=1h count
| eval day=strftime(_time,"%Y-%m-%d")
| eventstats max(count) as max by day | appendcols
[search index=mailog relay=10.203.0.0 | timechart span=1h count | eval day=strftime(_time,"%Y-%m-%d") | eventstats max(count) as max by day]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
index=mailog
| bucket _time span=1h
| stats count AS hourly_count BY host _time
| sort 0 - count
| dedup host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
In the search you are grouping the events by span=1h so it show the _time in this format 3/16 12 00:00
If you want the what hour time frame it occured most then your search should be like this
index=your time | timechart span=1h count as count |sort 1 count desc
I used sort command to sort the results in descending order and takes only the first value which is max of count .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you for helping me
but but I need the max value of everyday per mouth
the table I want like this
time 2018-4-15 8:00 max_count 588
time 2018-4-16 10:00
max_count 600
……
can you help me
sorry for troubling you thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Your requirement is not very clear to me. Here is what I understand, you want the max count based on hour and your output should be something like day, the hour the count was max max count
try |timechart span=1h count as count |timechart span=1h max(count) as count1| eventstats max(count1) as max | where count1=max|eval day=strftime(_time, "%Y-%m-%d") |eval hour=strftime(_time, "%Y-%m-%d %H:%M:%S")| fields day,hour,count1 | fields - _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you for helping me
but but I need the max value of everyday per mouth
the table I want like this
time 2018-4-15 8:00 max_count 588
time 2018-4-16 10:00
max_count 600
……
can you help me
sorry for troubling you thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You say you need the max value per hour and then you also say you need max value every day. If you look at @p_gurav 's query and mine they are almost identical.
- We first get the counts per hour via timechart
we then do an eventstats to figure
out the max of the count per hour,
for example at which hour was the
count maxwe then simply put a where filter
out the particular hour of the day
where the count=max count in step
2 above.
why is our query results different from what you want?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you sending me a message it was solved
thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you every much
I just want the max value of mailog from hour 0 to 24 per day
and make the table like this
IP1_max_cou IP2_max_count
2018-4-15 9:00 256 270
2018-4-16 11:00 328 255
2018-4-17 10:00 156 123
2018-4-17 15:00 8 9
sorry for troubling you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you try:
| timechart span=1h count as count | timechart span=1d max(count) | eval _time=strftime(_time, "%Y-%m-%d %H:%M:%S")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you I tried it but just display
2018-04-10 00:00:00
2018-04-11 00:00:00
.
.
.
why does it do not display the real time ?
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you try something:
|timechart span=1h count as count | eval date=strftime(_time, "%x") | eventstats max(count) as count1 by date | where count=count1
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
