https://community.splunk.com/t5/Splunk-Search/How-to-get-value-of-a-field-corresponding-to-max-value-of/m-p/439620#M125062 <P>Solution to my query:</P> <PRE><CODE> search_string|streamstats max(LoadTime) as max_time by Application|sort +Application -LoadTime|streamstats first(max_time) as max_time by Application|where LoadTime=max_time|table Application,max_time,User </CODE></PRE> <P>If you need to use stats function like sum as well on any of the field, you can do as follows:</P> <PRE><CODE> search_string|eventstats sum(LoadTime) as TotalTime by Application| streamstats max(LoadTime) as max_time by Application|sort +Application -LoadTime|streamstats first(max_time) as max_time by Application|where LoadTime=max_time|table Application,max_time,User,TotalTime </CODE></PRE> Thu, 14 Jun 2018 02:24:17 GMT ggangwar 2018-06-14T02:24:17Z https://community.splunk.com/t5/Splunk-Search/How-to-get-value-of-a-field-corresponding-to-max-value-of/m-p/439613#M125055 <P>Hi,<BR /> I have a table with the fields 'loadtime', 'application', and 'user'.<BR /> First I want to compute the maximum value of loadtime for all application. Then I want to create a table/chart which has application field's value in rows, corresponding maximum loadtime value in column. I also want to have user field's value for the maximum loadtime calculated for each application. <BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/5134i0012D3EF57A3B429/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span><BR /> Is there any way to accomplish this using Splunk?</P> Thu, 07 Jun 2018 03:50:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-value-of-a-field-corresponding-to-max-value-of/m-p/439613#M125055 ggangwar 2018-06-07T03:50:03Z https://community.splunk.com/t5/Splunk-Search/How-to-get-value-of-a-field-corresponding-to-max-value-of/m-p/439614#M125056 <P>Is this OK?</P> <PRE><CODE>(your search)|stats max(loadtime) as loadtime by application,user </CODE></PRE> Thu, 07 Jun 2018 05:07:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-value-of-a-field-corresponding-to-max-value-of/m-p/439614#M125056 HiroshiSatoh 2018-06-07T05:07:41Z https://community.splunk.com/t5/Splunk-Search/How-to-get-value-of-a-field-corresponding-to-max-value-of/m-p/439615#M125057 <P>No, it displays results by both columns i.e. for every user wise I will get the result using suggested query. </P> Thu, 07 Jun 2018 07:11:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-value-of-a-field-corresponding-to-max-value-of/m-p/439615#M125057 ggangwar 2018-06-07T07:11:30Z https://community.splunk.com/t5/Splunk-Search/How-to-get-value-of-a-field-corresponding-to-max-value-of/m-p/439616#M125058 <P>Can anyone please help in above query?</P> Sat, 09 Jun 2018 17:31:33 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-value-of-a-field-corresponding-to-max-value-of/m-p/439616#M125058 ggangwar 2018-06-09T17:31:33Z https://community.splunk.com/t5/Splunk-Search/How-to-get-value-of-a-field-corresponding-to-max-value-of/m-p/439617#M125059 <P>@ggangwar your requirement and table snapshot is confusing. As per your question you need <CODE>...maximum value of loadtime for all application</CODE> which should have only one value for Application1 i.e. 120.</P> <P>As per your screenshot seems like you have two max loadTimes per application per user i.e. 120 for user abc and 100 from user xyz for Application1. So, as per your table @HiroshiSatoh seems to be correct. So, if it is not we would need further raw events i.e. data sample with Application/s and Users/s with various loadtime and the final output that you need.</P> Sun, 10 Jun 2018 16:24:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-value-of-a-field-corresponding-to-max-value-of/m-p/439617#M125059 niketn 2018-06-10T16:24:29Z https://community.splunk.com/t5/Splunk-Search/How-to-get-value-of-a-field-corresponding-to-max-value-of/m-p/439618#M125060 <P>Apologies for confusion and typo error from me. Its Application2 in second row:</P> <PRE><CODE> LoadTime User </CODE></PRE> <P>Application1 120 abc<BR /> Application2 100 xyz</P> Mon, 11 Jun 2018 15:44:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-value-of-a-field-corresponding-to-max-value-of/m-p/439618#M125060 ggangwar 2018-06-11T15:44:56Z https://community.splunk.com/t5/Splunk-Search/How-to-get-value-of-a-field-corresponding-to-max-value-of/m-p/439619#M125061 <P>I have got the solution. Using streamstats I can achieve these stats.</P> <PRE><CODE>search_string|streamstats max(LoadTime) as max_time by Application|sort +Application -LoadTime|streamstats first(max_time) as max_time by Application|where LoadTime=max_time|table Application,max_time,User </CODE></PRE> Tue, 12 Jun 2018 03:02:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-value-of-a-field-corresponding-to-max-value-of/m-p/439619#M125061 ggangwar 2018-06-12T03:02:51Z https://community.splunk.com/t5/Splunk-Search/How-to-get-value-of-a-field-corresponding-to-max-value-of/m-p/439620#M125062 <P>Solution to my query:</P> <PRE><CODE> search_string|streamstats max(LoadTime) as max_time by Application|sort +Application -LoadTime|streamstats first(max_time) as max_time by Application|where LoadTime=max_time|table Application,max_time,User </CODE></PRE> <P>If you need to use stats function like sum as well on any of the field, you can do as follows:</P> <PRE><CODE> search_string|eventstats sum(LoadTime) as TotalTime by Application| streamstats max(LoadTime) as max_time by Application|sort +Application -LoadTime|streamstats first(max_time) as max_time by Application|where LoadTime=max_time|table Application,max_time,User,TotalTime </CODE></PRE> Thu, 14 Jun 2018 02:24:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-value-of-a-field-corresponding-to-max-value-of/m-p/439620#M125062 ggangwar 2018-06-14T02:24:17Z