topic Re: Updating maximum value in Splunk Search

Updating maximum value

michaelbosch — Sat, 07 Nov 2020 19:20:38 GMT

I have a data set with values in a specific moment in time. Each day can have multiple values (but in different events). I want to find the events that have the highest value in that moment in time. For example, if the data is the following:

Day1, 10
Day2, 13
Day2, 12
Day3, 11
Day3, 14
Day 4, 12
Day 5, 15

The search should return that Day1, Day2 (the first row), Day3 (the second row) and Day5 had the highest numbers at the moment they occurred. I do not only want the final highest value but the maximum at that moment in time (like the events after it didn't happen). For example, an additional column can be added which indicates whether it is/was the highest result.

Day1, 10, Yes
Day2, 13, Yes
Day2, 12, No
Day3, 11, No
Day3, 14, Yes
Day 4, 12, No
Day 5, 15, Yes

I have been trying to achieve this with the MAX function but I couldn't get it working. Is it possible to achieve this?

Re: Updating maximum value

gcusello — Sun, 08 Nov 2020 06:48:20 GMT

Hi @michaelbosch,

the streamstats command is the solution for your need, see this example:

index=_internal | dedup date_hour timeendpos | table date_hour timeendpos | streamstats max(timeendpos) AS max BY date_hour | eval check=if(timeendpos=max,"Yes","Not")

Ciao.

Giuseppe

Re: Updating maximum value

to4kawa — Sun, 08 Nov 2020 08:41:32 GMT

Not much has changed, though.
You can use eventstats for dates.

Re: Updating maximum value

michaelbosch — Sun, 08 Nov 2020 10:16:23 GMT

Thank you for your reply. The results can have different timestamps. Using | streamstats max(timeendpos) AS max BY date_hour, the maximum will be found by date_hour, right? I now use another column to group by and it seems to work now!

Re: Updating maximum value

gcusello — Sun, 08 Nov 2020 10:30:37 GMT

Hi @michaelbosch,

it was a sample to explain to you how to approach the problem!

Ciao.

Giuseppe