https://community.splunk.com/t5/Splunk-Search/for-each-column-return-max-value-and-row-key-value/m-p/487466#M136230 <P>Thanks for your reply, it works.</P> Wed, 15 Jan 2020 19:50:37 GMT wsabry 2020-01-15T19:50:37Z https://community.splunk.com/t5/Splunk-Search/for-each-column-return-max-value-and-row-key-value/m-p/487464#M136228 <P>Hello,</P> <P>I have SPL search that returns output in the following format:</P> <P>Device K1 K2 K3<BR /> A x1 y1 z1<BR /> B x2 y2 z2<BR /> C x3 y3 z3</P> <P>I would like to generate table with max value of each column and row key value (Device in my example above), so the output should be in the following format:<BR /> Key Max Device<BR /> k1 x1 A<BR /> k2 y3 C<BR /> k3 z3 C</P> <P>I can find the max value of each column using fieldsummary for example, but then the device id is missing.<BR /> How can I do that, thanks in advance.</P> Tue, 14 Jan 2020 21:32:09 GMT https://community.splunk.com/t5/Splunk-Search/for-each-column-return-max-value-and-row-key-value/m-p/487464#M136228 wsabry 2020-01-14T21:32:09Z https://community.splunk.com/t5/Splunk-Search/for-each-column-return-max-value-and-row-key-value/m-p/487465#M136229 <P>hello there,</P> <P>here is a clumsy solution, try the following search anywhere.<BR /> I bet there are better ways, its just been a very long day <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <PRE><CODE>| makeresults count=1 | eval data="A 1 5 10;;;B 2 11 8;;;C 3 23 4;;;D 91 2 21;;;E 7 1 200;;;F 74 22 11" | makemv delim=";;;" data | mvexpand data | rex field=data "(?&lt;device&gt;[^\s]+)\s(?&lt;k1&gt;[^\s]+)\s(?&lt;k2&gt;[^\s]+)\s(?&lt;k3&gt;[^\s]+)" | table device k* | rename COMMENT as "the above generates data below is the solution" | eval no_op = " " | xyseries no_op device k1 k2 k3 | transpose | rename column as base "row 1" as values | rex field=base "(?&lt;key&gt;[^\:]+)\:\s+(?&lt;device&gt;.*+)" | eventstats max(values) as max_values by key | where max_values = values </CODE></PRE> <P>hope it helps</P> Wed, 15 Jan 2020 03:15:54 GMT https://community.splunk.com/t5/Splunk-Search/for-each-column-return-max-value-and-row-key-value/m-p/487465#M136229 adonio 2020-01-15T03:15:54Z https://community.splunk.com/t5/Splunk-Search/for-each-column-return-max-value-and-row-key-value/m-p/487466#M136230 <P>Thanks for your reply, it works.</P> Wed, 15 Jan 2020 19:50:37 GMT https://community.splunk.com/t5/Splunk-Search/for-each-column-return-max-value-and-row-key-value/m-p/487466#M136230 wsabry 2020-01-15T19:50:37Z https://community.splunk.com/t5/Splunk-Search/for-each-column-return-max-value-and-row-key-value/m-p/487467#M136231 <PRE><CODE>| makeresults | eval _raw="device k1 k2 k3 A 1 5 10 B 2 11 8 C 3 23 4 D 91 2 21 E 7 1 200 F 74 22 11" | multikv forceheader=1 | table device k* | rename COMMENT as "the above generates data below is the solution" | stats list(*) as * | untable device Key Max | eval counter=mvfind(split(Max," "),max(split(Max," "))) | eval device=mvindex(device,counter), Max=mvindex(split(Max," "),counter) | table Key device Max </CODE></PRE> <P>Hi @wsabry<BR /> Here is another way.</P> Wed, 15 Jan 2020 22:21:22 GMT https://community.splunk.com/t5/Splunk-Search/for-each-column-return-max-value-and-row-key-value/m-p/487467#M136231 to4kawa 2020-01-15T22:21:22Z https://community.splunk.com/t5/Splunk-Search/for-each-column-return-max-value-and-row-key-value/m-p/487468#M136232 <P>cool <CODE>xyseries</CODE></P> Wed, 15 Jan 2020 22:47:42 GMT https://community.splunk.com/t5/Splunk-Search/for-each-column-return-max-value-and-row-key-value/m-p/487468#M136232 to4kawa 2020-01-15T22:47:42Z