I have this query that gets current CURRENT_OUT counts by DISTRICT
index=<my index> sourcetype=oracle:query source=<source> | fields DISTRICT, OUT_CUSTS | where _time>relative_time(now(),"-5m") | stats sum(OUT_CUSTS) as CURRENT_OUT by DISTRICT | table DISTRICT, CURRENT_OUT | sort by DISTRICT
This works to get current counts because the db source is updated every 5 minutes in splunk DB connect. I get a nice table of CURRENT_OUT by DISTRICT.
Is is possible to expand this to add a peak value for CURRENT_OUT over, say, the last 24 hours, while still including the current CURRENT_OUT value in the table as well? I'm looking at the bin command but I can't put it together. Once I expand my timeframe for my query, I'm bringing back way too much data an overinflating the current CURRENT_OUT values for each DISTRICT. Thanks
... View more