Finally we take the max of each counts to wind up with the max count of an hour, day, week and month by each id in the inputlookup. Next we use the (undocumented) multireport command to transform our result set from daily statistics, to add on have weekly and monthly statistics as well. | bin _time span=1d | stats max(count) as countHour sum(count) as countDay by id _timeįirst we fetch all data for each id in the lookup, and using stats we get to the maximum count per hour in every day, and the count per day using bin and stats. | bin _time span=1h | stats count by id _time Without an active instance in front of me to play with I feel like a much more efficient approach might look like: index="abc" Im not getting the expected results for this, Im expecting a tabular format where i get the count for each time range with the specific id by passing id field in the search subquery. Index="abc" id "search string here" |bin _time span="1month" | stats count as maxMonth by _time | sort - count | head 1] Index="abc" id "search string here" |bin _time span="1week" | stats count as maxWeek by _time | sort - count | head 1 ]|appendcols[search Index="abc" id "search string here" |bin _time span="1day" | stats count as maxDay by _time | sort - count |head 1 ]|appendcols[search Query that im using: | inputlookup ids.csv | fields ids as id | |appendcols[search Input file is ids.csv which has around 800 rows and its just one column, liek below: 1234, I've imported the file into splunk as input loookup table and able to view the fields using inputlookup query but I want to run that with all the sub queries where I'm fetching maximum count per hour, per day, per week and per month basis I want to run a splunk query for all the values in the csv file and replace the value with the field in the csv file.
0 kommentar(er)
