https://community.splunk.com/t5/Splunk-Search/How-to-create-a-column-field-based-on-the-max-or-value-of/m-p/403634#M116782 <P>@HattrickNZ add the following as your final pipe:</P> <PRE><CODE> &lt;yourCurrentSearch&gt; | eventstats max(Q) as W </CODE></PRE> Fri, 18 May 2018 04:41:32 GMT niketn 2018-05-18T04:41:32Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-column-field-based-on-the-max-or-value-of/m-p/403632#M116780 <P>This is my sample search and corresponding output:</P> <PRE><CODE> | makeresults | eval data = " 1 2017-12 A 155749 131033 84.1; 2 2017-12 B 24869 23627 95; 3 2017-12 C 117618 117185 99.6; " | makemv delim=";" data | mvexpand data | rex field=data "(?&lt;serial&gt;\d)\s+(?&lt;date&gt;\d+-\d+)\s+(?&lt;type&gt;\w)\s+(?&lt;attempts&gt;\d+)\s+(?&lt;successfullAttempts&gt;\d+)\s+(?&lt;sr&gt;\d+)" | fields + date serial type attempts successfullAttempts sr | rename date as _time | search serial=* | eval Q=attempts | eval Q=if(Q==24869,"",Q) | eval Q=if(Q==117618,"",Q) </CODE></PRE> <P>OUTPUT</P> <PRE><CODE> _time serial type attempts successfullAttempts sr Q 1 2017-12 1 A 155749 131033 84 155749 2 2017-12 2 B 24869 23627 95 3 2017-12 3 C 117618 117185 99 </CODE></PRE> <P>I want to be able to get the value of Q(e.g. 155749 ) and create a new field called W but all the values of W would be 155749. Basically, fill out all the values in W with one value and that value being 155749, the max of Q in this case.</P> <P>Sample Output of what I would like </P> <PRE><CODE> _time serial type attempts successfullAttempts sr Q W 1 2017-12 1 A 155749 131033 84 155749 155749 2 2017-12 2 B 24869 23627 95 155749 3 2017-12 3 C 117618 117185 99 155749 </CODE></PRE> <P>I was thinking of doing <CODE>... | eval W=max(Q)</CODE> but that won't work but hopefully helps understand what I am trying to do.<BR /> maybe I need to use streamstats or other. I couldn't quite get it. Maybe I need a for loop? advice appreciated.</P> Fri, 18 May 2018 03:30:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-column-field-based-on-the-max-or-value-of/m-p/403632#M116780 HattrickNZ 2018-05-18T03:30:04Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-column-field-based-on-the-max-or-value-of/m-p/403633#M116781 <P>Can you try this:</P> <PRE><CODE>| makeresults | eval data = " 1 2017-12 A 155749 131033 84.1; 2 2017-12 B 24869 23627 95; 3 2017-12 C 117618 117185 99.6; " | makemv delim=";" data | mvexpand data | rex field=data "(?&lt;serial&gt;\d)\s+(?&lt;date&gt;\d+-\d+)\s+(?&lt;type&gt;\w)\s+(?&lt;attempts&gt;\d+)\s+(?&lt;successfullAttempts&gt;\d+)\s+(?&lt;sr&gt;\d+)" | fields + date serial type attempts successfullAttempts sr | rename date as _time | search serial=* | eval Q=attempts | eval Q=if(Q==24869,"",Q) | eval Q=if(Q==117618,"",Q) | eventstats max(Q) AS W </CODE></PRE> Fri, 18 May 2018 04:39:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-column-field-based-on-the-max-or-value-of/m-p/403633#M116781 p_gurav 2018-05-18T04:39:55Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-column-field-based-on-the-max-or-value-of/m-p/403634#M116782 <P>@HattrickNZ add the following as your final pipe:</P> <PRE><CODE> &lt;yourCurrentSearch&gt; | eventstats max(Q) as W </CODE></PRE> Fri, 18 May 2018 04:41:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-column-field-based-on-the-max-or-value-of/m-p/403634#M116782 niketn 2018-05-18T04:41:32Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-column-field-based-on-the-max-or-value-of/m-p/403635#M116783 <P>@HattrickNZ if your issue is resolved, please accept @p_gurav 's answer as he had beaten me to it <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Mon, 21 May 2018 05:54:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-column-field-based-on-the-max-or-value-of/m-p/403635#M116783 niketn 2018-05-21T05:54:30Z