Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

find max of averaged field over a month of daily data

dang
Path Finder
‎03-07-2012 01:26 PM

I've got a very basic query which computes an average of some daily attempts to do something like this:

index=monitoring | timechart span=1d sum(done) as Success sum(try) as Attempt | eval Percent=round(Success*100/Attempt,2) | convert ctime(_time) as Date timeformat="%d %B" | fields - _time | fields Date Percent

I'm unclear how I could find the day with the highest value of "Percent" over a month's worth of daily valules. Would I need to create a summary index to handle this?

Tags (3)
0 Karma
Reply

lguinn2
Legend
‎03-07-2012 06:34 PM

No summary index needed for this - try this instead

index=monitoring | eval Date =strftime(_time,"%d %B"  )  | 
stats sum(done) as Success sum(try) as Attempt  by Date | 
eval Percent=round(Success*100/Attempt,2) |
eventstats max(Percent) as maxPercent |
where Percent = maxPercent |
fields - maxPercent
0 Karma
Reply
Get Updates on the Splunk Community!

Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration

What is the Builder Bar? The Builder Bar is more than just a place; it's a hub of creativity, collaboration, ...

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...