https://community.splunk.com/t5/Splunk-Search/How-to-get-max-value-from-each-columns-that-are-created/m-p/418651#M120364 <P>@maniu1609, try the following search:</P> <PRE><CODE>&lt;yourBaseSearch&gt; | bin _time span=1m | stats count by _time A1 | eventstats max(count) as Maximum by A1 | where count=Maximum </CODE></PRE> <P>PS: It will list multiple time for A1 if maximum count for specific A1 remains the same in multiple time buckets.</P> Fri, 25 May 2018 16:59:27 GMT niketn 2018-05-25T16:59:27Z https://community.splunk.com/t5/Splunk-Search/How-to-get-max-value-from-each-columns-that-are-created/m-p/418650#M120363 <P>search query | timechart span=1m count by A1</P> <P>the above query gives me below output:</P> <P>_time column1 column2 column3<BR /><BR /> 2018-05-25 10:20:05 1 1 0<BR /><BR /> 2018-05-25 10:09:39 4 0 0<BR /><BR /> 2018-05-25 10:27:16 0 2 2<BR /><BR /> 2018-05-25 10:22:06 1 1 1<BR /><BR /> 2018-05-25 10:12:45 1 1 2<BR /><BR /> 2018-05-25 10:25:07 1 1 3 </P> <P>No of columns depends on the time range we choose(i.e) sometimes 3 columns and sometimes 6 columns and so on..<BR /> So if the above is my scenario, how I can find max values from each column and their _time value.</P> <P>My expected output is:</P> <P>_time column1 column2 column3<BR /><BR /> 2018-05-25 10:09:39 4 0 0<BR /><BR /> 2018-05-25 10:27:16 0 2 2<BR /><BR /> 2018-05-25 10:25:07 1 1 3 </P> <P>so out main aim here is, how we can find max value of columns created dynamically.</P> <P>Please help me out. I'm struggling with my task. </P> Fri, 25 May 2018 11:31:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-max-value-from-each-columns-that-are-created/m-p/418650#M120363 maniu1609 2018-05-25T11:31:56Z https://community.splunk.com/t5/Splunk-Search/How-to-get-max-value-from-each-columns-that-are-created/m-p/418651#M120364 <P>@maniu1609, try the following search:</P> <PRE><CODE>&lt;yourBaseSearch&gt; | bin _time span=1m | stats count by _time A1 | eventstats max(count) as Maximum by A1 | where count=Maximum </CODE></PRE> <P>PS: It will list multiple time for A1 if maximum count for specific A1 remains the same in multiple time buckets.</P> Fri, 25 May 2018 16:59:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-max-value-from-each-columns-that-are-created/m-p/418651#M120364 niketn 2018-05-25T16:59:27Z https://community.splunk.com/t5/Splunk-Search/How-to-get-max-value-from-each-columns-that-are-created/m-p/418652#M120365 <P>Try something like this</P> <PRE><CODE>search query | timechart span=1m count by A1 | eventstats max(*) as max* | eval keep="N" | foreach max* [| eval keep=if('&lt;&lt;FIELD&gt;&gt;'='&lt;&lt;MATCHSTR&gt;&gt;',"Y",keep) ] | where keep="Y" | fields - max* keep </CODE></PRE> Fri, 25 May 2018 17:58:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-max-value-from-each-columns-that-are-created/m-p/418652#M120365 somesoni2 2018-05-25T17:58:09Z https://community.splunk.com/t5/Splunk-Search/How-to-get-max-value-from-each-columns-that-are-created/m-p/418653#M120366 <P>It works great!!. Thanks!!</P> Tue, 29 May 2018 11:18:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-max-value-from-each-columns-that-are-created/m-p/418653#M120366 maniu1609 2018-05-29T11:18:20Z https://community.splunk.com/t5/Splunk-Search/How-to-get-max-value-from-each-columns-that-are-created/m-p/418654#M120367 <P>it also works for me!!. Thanks!!</P> Tue, 29 May 2018 11:18:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-max-value-from-each-columns-that-are-created/m-p/418654#M120367 maniu1609 2018-05-29T11:18:52Z