topic Re: How would I return the value of a correlating field by giving the value of another field... in Splunk Search
https://community.splunk.com/t5/Splunk-Search/How-would-I-return-the-value-of-a-correlating-field-by-giving/m-p/558180#M158541
<P>Will something like this work for you?</P><LI-CODE lang="markup">| tstats count as "f" where a=* b=* c=* d=* e=* by a b c d e
| eventstats max(f) as f_max by b
| where f=f_max</LI-CODE>Fri, 02 Jul 2021 15:29:26 GMTITWhisperer2021-07-02T15:29:26ZHow would I return the value of a correlating field by giving the value of another field...
https://community.splunk.com/t5/Splunk-Search/How-would-I-return-the-value-of-a-correlating-field-by-giving/m-p/558165#M158532
<P>I am working with a stats table with 7 fields.<BR /><BR />| tstats count as "f" where a=* b=* c=* d=* e=* by a b c d e<BR />| stats<BR /> sum(f) as f<BR /> list(f) as f_list<BR /> max(f) as f_max<BR /> list(c) as c_list<BR /> list(d) as d_list<BR /> list(e) as e_list<BR /> by b<BR /><BR />I would like to be able to take:<BR /> <BR /> b's f_max and match it to the correlating value in b_list, c_list, d_list, e_list, f_list<BR /><BR />Anyone able to provide the SPL for this type of search?</P>Fri, 02 Jul 2021 15:13:49 GMThttps://community.splunk.com/t5/Splunk-Search/How-would-I-return-the-value-of-a-correlating-field-by-giving/m-p/558165#M158532jason_hotchkiss2021-07-02T15:13:49ZRe: How would I return the value of a correlating field by giving the value of another field...
https://community.splunk.com/t5/Splunk-Search/How-would-I-return-the-value-of-a-correlating-field-by-giving/m-p/558171#M158536
<P>Please can you clarify. You said you are working with 7 fields, by which it appears you mean f, f_list, f_max, c_list, d_list, e_list and b. None of these is a_list or b_list and it isn't clear which is a's f_max.</P>Fri, 02 Jul 2021 14:48:59 GMThttps://community.splunk.com/t5/Splunk-Search/How-would-I-return-the-value-of-a-correlating-field-by-giving/m-p/558171#M158536ITWhisperer2021-07-02T14:48:59ZRe: How would I return the value of a correlating field by giving the value of another field...
https://community.splunk.com/t5/Splunk-Search/How-would-I-return-the-value-of-a-correlating-field-by-giving/m-p/558177#M158539
<P>Oops,<BR /><BR />I meant:<BR /><BR /><SPAN>b's f_max and match it to the correlating value in b_list, c_list, d_list, e_list, f_list<BR /><BR /></SPAN>basically, I am working with the count of events from index, sourcetype, source, host, and a custom field added to tsidx files.<BR /><BR />b = sourcetype. f_max is the largest value found in f_list. I am trying to determine what values correlate to the c_list, d_list, e_list, and f_list.<BR /><BR />Out of all our sources within a sourcetype, which one is the largest, what is its name, where it is coming from, and which group owns it (the customer field).</P>Fri, 02 Jul 2021 15:19:52 GMThttps://community.splunk.com/t5/Splunk-Search/How-would-I-return-the-value-of-a-correlating-field-by-giving/m-p/558177#M158539jason_hotchkiss2021-07-02T15:19:52ZRe: How would I return the value of a correlating field by giving the value of another field...
https://community.splunk.com/t5/Splunk-Search/How-would-I-return-the-value-of-a-correlating-field-by-giving/m-p/558180#M158541
<P>Will something like this work for you?</P><LI-CODE lang="markup">| tstats count as "f" where a=* b=* c=* d=* e=* by a b c d e
| eventstats max(f) as f_max by b
| where f=f_max</LI-CODE>Fri, 02 Jul 2021 15:29:26 GMThttps://community.splunk.com/t5/Splunk-Search/How-would-I-return-the-value-of-a-correlating-field-by-giving/m-p/558180#M158541ITWhisperer2021-07-02T15:29:26Z