×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
nowakgft
Engager
Member since: ‎07-26-2022
‎07-26-2022
Community Statistics
Posts 2
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎07-26-2022
View All

Re: Get columns associated with max value of speci...

by in Splunk Search
‎07-26-2022 07:28 AM
‎07-26-2022 07:28 AM
I gave it a try, changed it in two places (corrected typo in max maxExecutionTime and changed by endpoint to by timeWindow). index = myindex | bucket span=30m _time as timeWindow | eventstats max(executionTime) as maxExecutionTime by timeWindow | where executionTime=MaxExecutionTime | table timeWindow _time endpoint maxExecutionTime | convert ctime(timeWindow)   Now works like a charm 🙂 Thank you! ... View more

How to get columns associated with max value of sp...

by in Splunk Search
‎07-26-2022 05:23 AM
‎07-26-2022 05:23 AM
Hello everyone, I have following type of data to analyze: timestamp endpoint executionTime 08:12 /products 0.3 08:20 /products 0.8 08:25 /users 0.5 08:41 /users 1.0 08:50 /products 0.7   I would like to display information about slowest endpoint in each 30 minute window, in this example it would look like: timeWindow timestamp endpoint maxExecutionTime 08:00 08:20 /products 0.8 08:30 08:41 /users 1   It's fairly easy to gather data on maximum execution time only and so I created such a query:     index = myindex | timechart span=30m max(executionTime) as maxExecutionTime     but now I have no idea how to attach endpoint called and actual timestamp. How should I do it? ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎07-26-2022 10:49 AM
Karma given to
View All